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Sent: 

To: 


be 

b7C 


Cc: 

Subject: 
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Thursday li.lv 9R 9007 2:06 PM 
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KOTD) ( CON);[ 
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l(OTD) (CON)! 


l ( OTD) (CON);[ 
KOTD) (FB )l 


& 

fpTD) 


TOTD) (CON); 


l(QS) (CO N) 


](OTD) (FBI); 


KOTO fFBI)f 


’[•liOKa-ira 


lOTD) (CON); 


m 


] 


s 


(OTD) (CON) 


Urgent FOIA Request - Deadline - Friday, August 3, 2007 


Importance: High 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


Good Afternoon, 


Per UC j I please provide hard copies of ALL documentation, to include e-mails, concerning CIPAV Technology. 

All information is to be turned in by COB Friday. August 3rd. 2007 . Additionally, it is requested that you please put all 
documents in chronological order. If I am not in the office that day, please take your documents to l 1 


Thanks, 


I I 

Management Assistant 
Operational Technology Division (OTD) 
Crvntntnnir and Electronic Analysis Unit (CEAU) 
l(Chantilly) 

(Quantico) 

(Cell) 


b6 

b7C 

b2 


SENSITIVE BUT UNCLASSIFIED 


ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 03-12-2008 BY 6D322UC/LP/STP/gjg 


1 









From: 

Sent: 

To: 

Subject: 


I I (OTP) (FBI) 

Tuesday, July 24, 2007 3:57 PM 

l (OTD) (FBI) 

FW: FOIA request from Wired News 


b6 

hlC 


UNCLASSIFIED 

NON-RECORD 


FYI. 


Operational Technology Division 
Data Acquisition and Intercept Section 
Cryptologic and Electronic Analysis Unit 
Software Develo pment Group 
(desk) 

(cell) 

(fax-un class) 


b6 

b7C 

b2 


— Original Message — 

From: 

Sent: 

To: 

Subject: FW: FOIA request from Wired News 


K SE) (FBI) 

July 24. 2007 3:54 PM 

i(CyP) (FBI);| 


OTD) (FBI) 


UNCLASSIFIED 
NON -RECORD 


b 6 
b7C 


FYI, we received the below FOIA request and responded through our CDC SSA| [ 

1 understand there was a flurry of activity last week related to the conviction of the defendant, the subsequent media 
attention, and misinformation being circulated about the manner by which this case was handled by my squad. 

Please let me know if anyone has any pending issues concerning the above. 


b6 

b7C 


Thank vou J 1 



UNCLASSIFIED 

NON-RECORD 


b6 

b7C 


Your inquiry was forwarded to me for resolution since I am the Field Office FOIPA Coordinator. 

The technique you mention in your e-mail is a sensitive law enforcement technique. The Seattle Field Office does not 
believe it appropriate to release any information about this technique, beyond that which was contained in the affidavit, and 

x 

ALL INFORMATION CONTAINED 

HEREIN 13 UNCLASSIFIED 

DATE 02-24-2009 BY 60322UC/L?/STP/gj g 




V 


. recommends that you consult with the foiks in 
opinion prior to processing the request. 

If I may be of further assistance please let me 
Thank vou. 


Supervisory Special Agent 
Chief Division Counsel 
Seattle Division 

__ I 


the Cyber Division and/or the Operation Technology Division for their 
know. 


b6 

hlC 

b2 


— Original Message — 

From: 1 ~1 (SE) (FBI) 

Sent: Monday. July 23, 2007 4: 1 8 PM 

TO! L J (SE) (FBI) j | (SE) (FBI) 

Cc: 1 I fSE) (FBI) 

Subject: FW: FOIA request from Wired News 

UNCLASSIFIED 

NON-RECORD 

b6 
Id 7 

— Original Mess age — 

From: I K SE) (FBI) 

Sent: Monday, July 23, 2007 12:07 PM 

To: I I fSE) (FBI) 

Subject: FW: FOIA request from Wired News 

UNCLASSIFIED 

NON-RECORD 


— Original Mess age — 

From: I T rMD) (FBI) 

Sent: Monday. July 23 . 2007 1 1:56 AM 

To: l _ K SE) (FBI) 

Subject: FOIA request from Wired News 

UNCLASSIFIED 

NON-RECORD 


1 l 

We received a FOIA request from Keven Poulsen, Wired News, addressed to FBI HQ, 'seeking any documents, including 
but not limited to electron records, concerning the FBI's development and utilization of so-called "Computer and Internet 
Protocol Address Veridier" [CIPAV]'. I already did a ACS search and did not come up with any information. 

i bring this to your attention, because the writer mentioned the following, "A CIPAV is described in a June 12, 2007 
application and affidavit filed by FBI Special Agent Norman B. Sanders, Jr of the Seattle Field Office as something that can 
be transmitted electronically to an investigation target, and , once activated, *will cause the activating computer to send 
network level messages, including the activating computer's originating IP address and MAC address, other variables, and 
certain registry-type information' to a computer under the FBI control.” b6 

blZ 

Do you know where this information is located in order to respond to the FOIA request? 

Thanks for your assistance. 


Legal Administrative Specialist 


UNCLASSIFIED 


2 



b6 

b7C 


From: 

Sent: 

To: 

Subject: 


I f OTP) (FBI) 

Tuesday. July 24. 2 007 3:25 PM 

k OTD) (FBI) 

RE: SF Newspaper Ad Response 


SECRET 
RECORD 134M 


Thanks for info 


Original Message 

1-Orig I If OTtn (FBI) 

nal i Tuesday. July 24. 2007 3:21 PM 

MOi i If OTD) (FBI) 

nesDaA i FW: SF Newspaper Ad Response 

VrIO- SfAai High 


SECRET 

record! 


:b6 

:b7C 


See the entire thread. This may be fall out from the CIPAV article and news story. In case you didn’t know, a 
complete story appeared on Fox News a day after the story broke. A former AUSA appeared on the show and talked 
exclusively about the capability of the tool and the legal issues concerning it. 


Operational Technology Division 
Data Acquisition and Intercept Section 
Cryptologic and Electronic Analysis Unit' 
.Software Development Group 
(desk) 

(cel!) 

(fax-unclass) 


b 6 

b7C 

b 2 


i 


Original 

l-Orig 
nal i 
MOi 

nesDaA i 
VrIO- SIAai 


Message 

I — □(OTP) (FBI) 

Tuesday. July 24. 2007 3:14 PM 
I □ (OTP) (FBI) 

FW: SF Newspaper Ad Response 
High 


SECRET 

RECORD 


b6 

b7C 


fyi 



nesDaA i FW: SF Newspaper Ad Response " 

VrIO- SIAai High 


DATE; 10-15-2008 

CLASSIFIED BY 60322UC/LP/STP/gjg 
REASON: 1.4 (C) 

DECLASSIFY ON: 10-15-2033 

ALL INFORMATION CONTAINED 1 

HEREIN IS UNCLASSIFIED EXCEPT 
NHERE SH0UN 0THERNISE 


SECRET 

RECORD 


he 

b7C 


b2 


! 

j 



— Original 

Messaqe 

1-Orig 
nal I 

I IfOTD’i fFBII 

Titacriau liihL.17 11:12 AM 

MOi 

ICOTD) (FBI) 

nesDaA i 

FW: SF Newspaper Ad Response 

VrIO SIAai 

High 

SECRET 

RECORD 

1 1 


FYI 


— Original Message — 

1-Orig | l(OTD) (FBI) 

nal i mesoay, Jmy 1 /, zOQ7 9:12 AM 

MOi J JWF) (FBI) . 

/Al 1 l OTD) (FBI); 1 K OTP) (FBI) 

nesDaA i FW: SF Newspaper Ad Response 

VrIO SIAai High 

SECRET 

RECORD I I 


■b6 

b7C 


b6 

b7C 



Have you seen this? Also, we have not seen any of \b 
Friday, 07/13. 


bl 

since 




b2 


— Original typssanp- 
1-Orig 
nal i 
MOi 




Hl(OTD) (FBI) 

Tuesda y, July 17, 2 007 8:11 AM 

~lroTP) 


#Ai 

nesDaA i 
VrIO SIAai 


[ 


I 




1(QTP) 




~koTD) (FBI);[ 


(OTD) (FBI) 


(uiuj (i-ai) 


JOTD) (FBI); 


Ifflffl) fFRVlf 


] m ) (pbd; | 


FW: SF Newspaper Ad Response 
High 


b6 

b7C 


SECRET 

RECORDl I 


FYI. Please let me know if anything [ 


— Original Message — 
1-Orig I 
nal i 
MOi 


](CO) (FBI) 


nesDaA 


Monday. Ma_6, 2007 5:15 PM 

I . 

FW: SF Newspaper Ad Response 


has stopped working. 


b2 

b7E 




Totdi fFBn 


5 


CD) (FBI) 


]OTD) (FBI); 

'b6 
b7C . 


SECRET 

RECORD} I 





Please see below if you haven't already. 
Regards, 



— Original Message — 

1-Orig | ~~ 

nal I ."Mnntiay ?n 

MOi I 

nesDaA t 


](CD) (FBI) 

S 7 4r55 PM 
CD) (FBI) 


FW: SF Newspaper Ad Respon 


i 


(CD) (FBI) 


SECRET 

RECORD! 


b6 

b7C 


— -Original Message 

l-Orig I If HO) (FBI) 

nal i Monday, July 16. 20 07 4:54 PM 

MOI | I (CD) (FBI) 

nesDaA i RE: SF Newspaper Ad Response 

SECRET 

RECORD 


My replacements arJ 


ss/1 | 

Houston uivision 
Squad CI-3 

{(Office) 

{(Blackberry) 


be 

b7C 


b2 


— Original Message — 
1-Orig 1 ~ 

nal i Mnnrlav. lulv 16 
MOi I 


CD) (FBI) 
07 3:34 PM. 
OTD) (FBI)f 


nesDaA [TWrSFT75wSpSS3er Ad Respond 


}HO) (FBI) 


SECRET 

RECORD 


1 1 know you both 

I'm back in NY and 



for SQ. 


have successors but I didn't know who they were, 
saw this traffic. I don't know if this has any implications 


be 

b7C 


— Orig inal Message— 
i-Orig [ 

nal i Monday, lulu- 
MOi 


as 


](NY) (FBI) 
1:26 PM 
V (FBI, 


a 


ttpeuC 


£ 


am 


](CD) (FBI)[ 


IwY) (FBI)1 

ffilM 


(NY) (FBI) 


1(NY) (F BI) l I 

r iY)fcBn[ 


iNYl 


3 







earlier today. 


CD) (FBI 









♦ 



Internet Cafe) 


b2 

b6 

blC 


DERIVED FROM: G-3 FBI Classification Guide G-3. dated 1/97, Foreign Counterintelligence 
Investigations _ 

DECLASS IFICATION EXEMPTION 1 
SECRET 


DERIVED FROM: G-3 1FBI Classification Guide G-3. dated 1/97, Foreign Counterintelligence Investigations 
DECLASSIFICATION EXEMPTION 1 * 

SECRET 

DERIVED FROM: G-3 FBI Classification Guide G-3, dated 1/97, Foreign Counterintelligence Investigations 
DECLASSIFICATION EXEMPTION 1 
SECRET 


DERIVED FROM: G-3 FBI Classification Guide G-3, dated 1/97,/Foreian Counterintelligence Investigations 
DECLASSIFICATION EXEMPTION 1 
SECRET 



DERIVED FROM: G-3 FBI Classification Guide G-3. dated 1/97. Foreign Counterintelligence Investigations 
DECLASSIFICATION EXEMPTION 1 
SECRET 



DERIVED FROM: G-3 FBI Classification Guide G-S.NJated 1/97. Foreign Counterintelligence Investigations 
DECLASSIFICATION EXEMPTION 1 
SECRET 


DERIVED FROM: G-3 FBI Classification Guide (5-3. dated\l/97. Foreign Counterintelligence Investigations 
DECLASSIFICATION EXEMPTION 1 
SECRET 

DERIVED FROM: G-3 FBI Classification Guide G-3, dated 1/97. foreign Counterintelligence Investigations 
DECLASSIFICATION EXEMPTION 1 
SECRET 

DERIVED FROM: G-3 FBI Classification Guide G-3. dated 1/97. Foreiart Counterintelligence Investigations 
DECLASSIFICATION EXE MPTIONS ~ 

SECRET 

DERIVED FROM: G-3 FBI Classification Guide G-3, dated 1/97. Foreign Couikerintelliaence Investigations 
DECLASSIFICATION EXEMPTION 1 
SECRET 


DERIVED FROM: G-3 FBI Classification Guide G-3, dated 1/97, Foreign Counterintelligence Investigations 
DECLASS IFICATION/EXEMPTION 1 
SECRET 



DERIVED FROw^gfc^gylassification Guide G-3. dated 1/97. Foreign Counterintelligence Investigations 


5 




Subject: 


(OTD) (FBI) 
RE: CiPAV? 


(OTD) (FBI) 

’ 8:29 AM 
(FR) (FBI),— 
(FR) (FBI)L 


[OTD) (FBI); 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


CIPAV is ha ndled by the unit next door to us, the Crytolocj ic and Electronic Analysis Unit (CEAU). Their UC is 
~| and the SSA over that program is l l . 1 have cc'd them on this e-mail. 

b 2 

b6 

1 b7C 


SSA I 1 

Acting Unit Chief 

Data Intercept T echnology Unit 

(STU) 


b6 

b7C 


Original Message 

From: I K FR) (FBI) 

Sent: Tuesday, July 24, 200 7 6:27 AM 

To: I k OTm (FBI) 

Cc: I I fFfO (FBI) 

Subject: CIPAV? 

SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


b6 

b7C 

b2 


I am embarrassed to be approaching you again with a request from the Germans (after your previous help and 
offers of assistance that have not yet been follow-ed up on by our German colleagues), but they now have asked us 
about CIPAV (Computer Internet Protocol Address Verifier) software, allegedly used by the Bu? 


about CIPAV? 


Thanks again, 


is tdy here, and he is handling this matter. Can you advise him who he should contact to find out more 


Assistant Legal Attach^ 
Frankfurt, Germany 


SENSITIVE BUT UNCLASSIFIED 


SENSITIVE BUT UNCLASSIFIED 


ALL INFORMATION CONTAINED 

HEREIN 13 UNCLASSIFIED 

DATE 09-26-2008 BY 0322UC./lP/STP/gjg 




l(OTD) (FBI) 


From: 

Sent: 

To: 

Cc: 

Subject: 


[ 


](OTD) (FBI) 


b6 

■b7C 


Wednesday, July 18, 20 07 5:35 PM 

_J ( SEJ (FBI) 

KOTD) (FBI); DICLEMENTE, ANTHONY P. (OTD) (FBI);[ 




(OTD) (FBI) 
Seattle CIPAV Case 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 

b6 

b7C 



I just wanted to reiterate our telephonic discussion, so that you can pass this information on to your Executive 
Management. As we are all aware, the Seattle bomb threat case has gone public on several news and technical websites, 
providing detailed information on some of the capabilities of this particular tool. This obviously causes us some concern as 
we try to make every effort possible to protect the FBI’s sensitive tools and techniques. That being said, with a good 
possibility that future inquiries will be forthcoming to Seattle Division regarding how the FBI was able to collect the 
information that ultimately helped solve this case, we want to ensure that the capabilities of the CIPAV are minimized, if 
discussed at all. This and many tools deployed by the FBI are law enforcement sensitive and, as such, we request that as 
little information as possible be provided to as few individuals as possible. Thanks and please let me know if you have any 
questions. 

I 

Unit Chief 

Cryptologic and Electronic Analysis Unit (CEAU) 


SENSITIVE BUT UNCLASSIFIED 


ALL INFORMATION CONTAINED 

HEREIN 15 UNCLASSIFIED 

DATE 09-12-2008 BY 6G322UC/LP/STP/gjg 


i 

! 

i 

i 


i 


i 


1 



Please read the email from the bottom up. 


Operational Technology Division 
Data Acquisition and Intercept Section 
Cryptologic and Electronic Analysis Unit 
Software Develo pment Group 
l(desk) 

(cell) 

K fax-unclassl 


b6 

b7C 

b2 


b6 

b7C 




Science and Technology Law Unit 
Office of the General Counsel 


Fed eral Bureau of Inv estigation 
Ph - 

Cell I 

Ph (Secure) -| 

Fax -I I 



be 

b7C 

b2 


— Original Message — 

From: I l( OTD) (FBI) 

Sent: 

To: 

Cc: 

Subject: 


(S) DATE: 09-12-2008 

CLASSIFIED BY 60322UC/LP/STP/gj g 


SENSITIVE BUT UNCI 
NON-RECORD 




REASON: 1.4 (C) 

DECLASSIFY ON: 09-12-2033 

1 


b7C 

bl 


ALL INFOPI'IATI ON *T OBTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 






bl 


(S) 


(SJ 


b2 

b6 

b7C 


Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 
Federal Bureau of Investiqation 
Ph -I 

Cell | 

Ph (Secure) 




i 

I 

1 


2 






5ees£t 



What are we going to do here? 




b 6 
b7C 
b 2 




(SJ 

DATE: 09-29-2008 

CLASSIFIED BY 60322UC/LP/STP/gjg 
REASON: 1.4 (C) 

DECLASSIFY ON: 09-29-2033 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 


b6 

b7C 

b2 


stesEj 


1 






— Origin 1 Mess g 

e 


From: ] 

IrOTD) (FBI) 


Sent 

Mond y, July 16, 2007 4:30 PM 


Torf 

l&GC) (FBI) 


Cc: 1 

If OTD 1 fFBHl 

□(OGC) (FBI) 

Subject: 



SENSITIVE BUT UNCt»SSl?IED 

MS) 

NON-RECORD 



bl 

b6 

b7C 


[the pony we sent stated 

(S) - 




bl 


.u { E 


Information Technology Specialist 
Operati onal Technology Division 
Office - 
Mobile 
Pager - 



b6 

b7C 

b2 


b6 

b7C 


t 


— Origin I Mess ge-- 

From: 

Sent: 

To: 

Cc: 


](OGC) (FBI) 


Mond v, July 16, 200 7 3:52 PM 


Subject: 


SENSITIVE BUT U N 
NON -RECORD 




ItOTPJ (FBI);[ 


OTD) (FBljJ 


1 



(S) 


Iotdhfbi) 


JOGC) (FBI); 


JOGC) (FBI)£ 


bl 


b6 

b7C 


bl J 


(S) 



It may be that the case agent believes that he can get sufficient evidence frorr^ 
11 Maybe but if not, to get m ore details about the target computer. a sec 

zH 




r b2 

b7E 


bl 



( S ) ”" -fiBcessaiVv---t-stilt-6u<3flest--a-seaffC i 

(S) 


U 


Assis^gg^^Jal Counsel 


b6 

b7C 






* 



Science and Technoiogy Law Unit 
Office of the General Counsel 
Fed eral Bureau of In vestigation 
Ph -I — 

Cel 


Ph ( Secure) - 
Fax - 1 


:b6 

hlC 

b2 


SENSITIVE BUT UNCLASSIFIED 


UN^L 


SENSITtVE BUT UNCLASSIFIED 


\ / 


sensitive but Unclassified 


SENSITIVE BUT UNCLASSIFIED 






s 


T 



OTP) (FBI) 


From: 

Sent: 

To: 

Cc: 

Subject: 


l (OGC) (FBI) 
Thursday .lulvl? 10:17 AM 

rO TDl (FBI) 
B OTD) (FBI) 

FW: Lead 12/22/2005 - Banner 


b 6 
b7C 


SECRET 

RECORD 288B-SI-54759 


Attached is the banner that] 


and 


designed back in late 2005/early 2006. 


Assistant General Counsel 
Sripnne and Tanhnnlnnv Law Unit 


1 


Phone l 
Cell phone f 
Sec ure phone:! 


Y 


Fax 


b6 

blC 

h2 


— Original Mess age — 

From: I J (OGC) (FBI) 

Sent: Friday. March 10. 2006 3:31 PM b6 

To: I |(OTD) (FBI);| |(CyD) (FBI) b 7 C 

Cc: I K OGQ (FBI) 

Subject: FW: Lead 12/22/2005 - Banner 

SECRET 

RECORD 288B-S1-54759 


bl 



Assuming tha i [ concurs. request that you approve the use of this banner. You have the background and email 
strings associated with this request but if it will be helpful, I'll package them and send them to you. IVe attached the 
proposed banner for your convenience. 



DATE: 10-16-2008 

CLASSIFIED BY 60322UC/LP/STP/gjg 

PEAS ON 1 : 1.4 (C) 

DECLASSIFY 0U: 10-16-2033 

ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
TrJHEPE SHOWN OTHERWISE 




Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 
Feder al Bureau of Inves tigation 
Pho nd ~l 

Fax I I 


— Original Message — 

From: I ~I (QTD) 

Sent: . FddaxJMairt 10, 2006 2: 14 PM 

To: j |(OGC) (FBI) 

Subject: RE: Lead 12/22/2005 - Banner 

SECRET 

RECORD 288B-SI-54759 


Cryptologic & Electronic Analysis Unit 

Digitial Evidence Section, Operational Technology Division 



secure voice 
secure fax 


Original Message 

From: I I fOGQ (FBI) 

Sent: Friday, March 10 . 2006 11:31 AM 

To: I 1 (OTD) 

Subject: FW: Lead 12/22/2005 - Banner 

SECRET 

RECORD 288B-SI-54759 










bl 


Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 
Federal Bureau of Inve stigation 
Phon e 4 
Fax - I 




b6 

b7C 

b2 


Original Message — 

From: I 1 (060 (FBI) 

Sent 1 . Friday, March 10, 2006 11:13 AM 

To! I' — I fOGQ (FBI) 

Subject: RE: Lead 12/22/2005 - Banner 

SECRET 

RECORD 288B-SI-S47S9 



Let me know if you agree, feel otherwise, etc. 
Thanks, 


— Original Message — 

From: I ~l (OGC) (FBI) 

Sent: Friday, March 10, 2006 8:32 AM 

To: MOTTA, THOMAS GREGORY (OGQ (FBI); ! ' l (OGC) (FBI) 

Subject: RE: Lead 12/22/2005 - Banner 

SECRET , g 

RECORD 288B-SI-547S9 b7 

b2 


You have seen this. I can send you a copy of your emails if it will help. 


Assistant General Counset 
Science and Technology Law Unit 
Office of the General Counsel 
Federal Bureau of Inve stigation 
Phorjai 
Fax -L_ 


3 





J 


— Original Messa ge- — 

From: I " 1 

Sent Thursday. March 09. 2006 5:28 PM 

To;l IfqGC) (FBI) , 

Cc:l |(OGC) fFBI): l I fOGQ (FBI);| IOGC) (FBI) 

Subject: f=W: Lead 12/22/2005 - Banner 

♦ 

SECRET 

RECORD 288B-SI-54759 


b6 

b7C 


I had previously referred f b all toj Iwhile you were awasy. I I has had extensive 

Banne r review experience including some prior DoD Banners. 

I I can you review and comment. 

Thanks. 


PRIVILEGED DELIBERATIVE DOCUMENT - NOT FOR DISCLOSURE OUTSIDE THE FBI WITHOUT 
PRIOR OGC APPROVAL 


Associate General Counsel - Unit Chief 
Science & Technology Law Unit 

Engineering Research Facility ^ 

Bldg 27958A, Room A-207 ^2 

Quantico, VA 22135 
Tel. 

Fax, 


i s ) 

(S) 


— Original Message — 

From: I ~T OGC) (FBI) 

Sent: Thursday, March 09, 2006 2:51 PM 

To; | Urn (FBI) 

Cc: L— k cvD) (FBI); | 

subject; RE: Lead 12/22/2005 - Banner 

SECRET 

RECORD 288B-SI-54759 


[ 


Assistant General Counsel 


Science and Technology Law Unit 


Office of the General Counsel 

b6 

Federal Bureau of Investiaation 

b7C 

Phone -1 1 

b2 

Fax 'I I 



:b6 

b7C 


](OGC) (FBI){ 


](OGC) (FBI) 


bl 


4 







— Original Mess age — . 

From: I 1 (51) (FBI) 

Sent: Thursday. Janua ry 05, 2006 4:21 PM 

To: I I fOGQ [FBI) 

Subject: RE: Lead 12/22/2005 b7C 

SECRET 

RECORD 288B-SI-54759 


AFOSI has not gotten the "Official" approval from the appropriate Air Force General yet to deploy CIPAV. 
The General asked for an official OPS plan to include CIPAV basic information, how we will gather and 
share the appropriate data and how long we expect to deploy the tool. He requested the OPS plan include 
the FBI's recommended banner changes before he approves so his DOD attorneys can review our 
changes before he signs off. 


I know it’s a chicken or egg thing 
Thanks again. 

sa| 

U.S. Bank Building 
6701 North Illinois 
Suite 200 

Fairview Heiqhts, Illinois 62208 

Tel: I ~ 

Fax: I I 


but he wants to see our recommendations before signing off. 



b6 

b7C 

b2 


— Original Mess age — 

From: 

Sent: 

To: 

Cc: 

Subject: 


](OGC) (FBI) 


Thursday, January 0 5. 2006 2:24 PM 
, KSOjFBl] 


RE: Lead 12/22/2005 


](OGC) (FBI) 


SECRET 

RECORD 288B-SI-54759 



We are putting the final touches on the draft Banner language now but I will have to coordinate the 
language thru OGC before I can provide it to you via EC. Before I take the next step I need to know 
that the Air Force has agreed to make the recommended changes and to use of the CIPAV tool. 
Please let me know ASAP. 


Thanks 


] 


Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 
Federal Bureau of Inves tigation 
Phon e ^ 

Fax H 


b6 

b7C 

b2 


— Original Mess age — 

From: I k sn (FBI) 

Sent: Thursday, December 29, 2005 12:57 PM 



SteftEI 

T o: I T ogo (fbi) 

Subject: RE: Lead 12/22/2005 

SECRET 

RECORD 288B-SI-54759 


Yes, that is the only thing we have found to date. 


sa[ 


U.S. Bank Building 
6701 North Illinois 
Suite 200 

Fairview Heights, Illinois 62208 

Tel: 

Fax: 1 


Original Mess age 

From: 1 I fOGO (FBI) 

Sent: Thursday, December 29, 2005 7:24 AM 

To: I l (Sn (FBI) 

Subject: RE: Lead 12/22/2005 

SECRET 

RECORD 288B-S1-54759 


b 6 

b7C 

b2 



Thanks and mv understanding is that in your investigation you've determined that[ 


b2 

b7E 


Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 


Federal 
Phone - 
Fax 


l 


ureau of Inves tigation 


b6 

b7C 


— Original Message — 

From: | l (SI) (FBI) 

Sent: Wednesday, December 28, 2005 7:41 PM 

To: | 1 (OGC) (FBI) 

Subject: RE: Lead 12/22/2005 

SECRET 

RECORD 288B-S1-54759 


I | l am not sure about that, i’ll be out of the office until next week and if you want m e 
to check with the Air Force on it I will . | | 

b2 

b7E 


6 




sa | _ I 

U.S. Bank Building 
6701 North Illinois 
Suite 200 

Fairview Heights, Illinois 62208 

Tel: 1 

Fax: I 


— Original Message — 

From: I l OGC) (FBI) 

Sent: Wednesday, Decemb er 28, 2005 3:32 PM 

To: I K SI) (FBI) 

Subject: RE: Lead 12/22/2005 

SECRET 

RECORD 288B-SI-54759 


b6 

b7C 


Thanksl ~ lf 


b2 

b7E 


Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 
Federal Bureau of Inve stigation 
Pho ne A 
Fax 1 


— Original Mess age — b6 

From; I ~ I CST) (FBI) b7C 

Sent: Wednesday. De cember 28, 2005 3:56 PM 

To: I |(OGC) (FBI) 

Subject: RE: Lead 12/22/2005 

SECRET 

RECORD 288B-SI-54759 


Good Afternoon T I 


b2 

b7E 


1 l am not, 

however, currently aware of that to be happening. 


S AI [ 

U.S. Bank Building 
6701 North Illinois 
Suite 200 

Fairview Heights, Illinois 62208 

Tel: 

Fax: I ~~” 


be 

b7C 

b2 



L 


Original Message- 

From: 

Sent; 

To: 

Subject: 


J(OGC) (FBI) 


Wednesday, Decemb er 28, 2005 1:11 PM 
I ~fc Sl) (FBI) 

FW: Lead 12/22/2005 


1 




SECRET 

RECORD 288B-SI-54759 


(S) 


Now I have your EC officially, i'm coordinating as I type to get ideas from my 



Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel be 

Federal Bureau of Inves tigation b7c 


Phone -f 
Fax ^ 


b2 


— Original Mess age — 

From: I If OGC) (FBI) 

Sent: Thursday, Decem ber 22, 2005 2:29 PM 

To: { l (OGC) (FBI) ' 

Cc: MOffA, THOMAS GREGORY (OGC) (FBI): I 1 (OGC) 

(FBI) 

Subject: Lead 12/22/2005 

Happy Holidays all. 

Please find attached a lead foi l It hat has a deadline of 

1/31/2006. 

Thank s, 

| ~> < File: 12222005.wpd » 
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DECLASSIFICATION EXEMPTION 1 

secret 


DERIVED FROM: G-lTFBI Classification Guide dated 1/97. Foreign 
Counterintelligence Investigations 
DECLASSIFICATION EXEMPTION 1 
SECRET 



DERIVED FROM: G-3 FBI Classification Guide. G-3. dated 1/97. Foreign 
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SECRET 
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](OTD) (FBI) 


From: 

Sent: 

To: 

Subject: 


□(SI) (FBI) 

Tuesday, July 10 t 2 007 6:24 PM 
I ~^ OTD) (FBI) 

RE: CIPAV reminder 


b6 

b7C 


UNCLASSIFIED 

NON-RECORD 


Per our conversation, well talk to you (and your engineers) at 3:30 pm EST (2:30 pm central) 


— Original Message — 

From: I ~l rOTD) (FBI) 

Sent: , Tupsriav Inly 10, 2007 4:59 PM 

To: | |(SI) (FBI) 

Subject: RE: CIPAV reminder 

UNCLASSIFIED 

NON-RECORD 


How does 2pm EST sound? 

SS/ft l I 

Operational Technology Division 

Digital Evidence Section b7c 

Cryptologic and Electronic Analysis Unit b2 

Software Develooment Group 

! desk) 
cell) 

fax-unclass) 


— Ori ginal Message — 

From: I If SIHFBn 

Sent: Tuesday. July 10. 2007 5:31 PM 

To: I If OTP) (FBI) 

Subject: RE: CIPAV reminder 

UNCLASSIFIED 

NON-RECORD 


Miscomm unication. We thought you were calling us. What time works? 

— Original Messa ge — 

From: I l IOTDI (FBI) 

Sent Tuesday, July 10, 2007 4:15 PM 

To: I 1 (51) (FBI) 

Subject: RE: CIPAV reminder 

UNCLASSIFIED 

NON-RECORD 


Yes, I will be able to discuss the issues tomorrow. I waited patiently for you to call yesterday. Did I get my 
wires crossed? Was I suppose to call you or were you going to call me? 

SS/ f 1 

Operational T echnology Division 

ALL INFORMATION CONTAINED 1 

HEREIN IS UNCLASSIFIED 

DATE 09-29-2008 BY 60322TJC/ LP/STP/gj g 



* 


Digital Evidence Section • 

Cryptologic and Electronic Analysis Unit 
Software Develo pment Group 
~| (desk) 

(cell) 

(fax-unclass) 


Original Message- 

From: 1” 

Sent: 

To: L 

Subject: FW: CIPAV reminder 


flESS EWKTf PMTl 


](SI) (FBI) 

2007 2:24 PM 
JCOTD) (FBI) 


UNCLASSIFIED 

NON-RECORD 


Are you going to be available to discuss these issues tommorrow? 

Original Mes sage 

From: I ~ l (SI) (FBI) 

Sent: Friday, July 06, 20 07 1:13 PM 

To: | K QTD) (FBI) 

Subject aPAV reminder 

UNCLASSIFIED 

NON-RECORD 


b6 

b7C 

b2 


Per our discussion today, you are checking with you engineers and| [regarding our matter here. 

We are going to talk again Monday assuming you get your answers (tentatively scheduled for after 2 pm). 
Call with questions. 


D 

C 


UNCLASSIFIED 


UNCLASSIFIED 


UNCLASSIFIED 

UNCLASSIFIED 


UNCLASSIFIED 


UNCLASSIFIED 
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(Rev. 01 -3 1-2003) 


FEDERAL BUREAU OF INVESTIGATION 


Date: 07/05/2007 


Attn: SA 


Attn: SSA I 

C3IU-2 

From: Operational Technology Division/ 

Electronic Surveillance Technology Section/ 
Cryptologic and Electronic Analysis Unit 


Precedence: ROUTINE 

To: Seattle 

Cyber 


b6 

b7C 


Approved By: 



DiClemente Anthony P 


] 


be 

b7C 


Drafted By: 


Case ID U: | 

288E-SE-93709 


(Pending) 

(Pending) 


b 2 


Title: CRYPTOLOGIC ELECTRONIC ANALYSIS UNIT (CEAU) 

ASSISTANCE TO THE SEATTLE FIELD OFFICE 


UNSUB (S); 

TIMBERLINE SCHOOL DISTRICT (VICTIM) ; 
COMPUTER INTRUSION - INTERNET EXTORTION 


Synopsis: After Action Report for effectuating remote delivery of 

a Computer Internet Protocol Address Verifier (CIPAV) to 
geophysically locate a subject who has issued multiple bomb 
threats against a local high school. 

Details: On 06/06/2007, the Seattle Division was contacted by the 

Lacey Police Department (LPD) , Lacey, WA, regarding numerous bomb 
threats and Distributed Denial of Service (DDOS) attacks received 
at the Timberline School District, Lacey, WA. The threats began 
on 05/30/2007 and persisted through 06/04/2007. The threats 
necessitated the daily evacuation of Timberline High School. The 
LPD and the Washington State Patrol (WSP) performed school 
evacuations and bomb sweeps with negative results. Parents and 
school district employees informed local television stations and 
newspapers, which aired the story on June 6, 2007. As a result, 
the LPD requested investigative assistance from the Northwest 
Cyber Crime Task Force (NCCTF ) headed by the Seattle Division. In 
turn, the Seattle Field Office requested assistance from the CEAU 
with locating the UNSUB. 


ALL INFORMATION CONTAINED 

HEREIN 15 UNCLASSIFIED 

DATE 09-29-2009 BY 60322UC/LP/5TP/gog 





♦ 


To: Seattle From: Operat ional Technology Division/ 

Re: I 07/05/2007 


to 2 


OBJECTIVE 

The objective of this operation was to deploy a CIPAV to 
locate the subject issuing bomb threats to the Tixnberline High 
School, Lacy, Washington. The CIPAV was deployed in the usual 
way. 


SUMMARY OF EVENTS 


Concurrence f or the operation w as obtained from Case Agent 


] and [ 


Assistant United States 


Attorne y, Western District of Washington. In addition, | | 


Office of the General Counsel, concurred with the 
operation following his review of the affidavit and warrant, 
signed by James P. Donohue, United States Magistrate Judge, 
United States District Court, Western District of Washington, 
dated 6/12/2007. 


toe 

b7C 


CONCLUSION 

CEAU deployed a CIPAV to a MySpace account identified as 
possibly belonging to the UNSUB. The CIPAV returned several IP 
Addresses, one resolving back to Comcast Cable in Seattle, 
Washington. Subscriber information obtained from Comcast 
confirmed the suspicions of Law Enforcement and led to the 
issuing of a search warrant and arrest warrant. A 15 year old 
male student from Timberline High School was taken into custody 
without incident at his home at approximately 2 A.M. on 
6/14/2007. The minor confessed to issuing the bomb threats. Bomb 
threats dated 6/14/2007, were found on the minor's computer. The 
minor's computer equipment was seized and the arrest was made 
without incident. Following an interview with the minor, the LPD 
was able to clear another threat case, as the minor confessed to 
issuing telephone death threats to teachers and others, including 
his parents, earlier this year. 


2 



To: 
Re: • 


Seattle From: Opera tional Technology Division/ 

I 07/05/2007 


LEAD (s) : 

Set Lead i: (Action) 

SEATTLE 

AT SEATTLE. WA 

Lead covered at OTD/ESTS/CEAU. Read and Clear 

Set Lead 2: (Action) 

CYBER 

AT WASHINGTON. DC 
Read and Clear 1 . 

♦♦ 


S : /DES/CEAU/Upload/AARSEATTLE06kldl407 . wpd 



Subject: 


|(OGC) (FBI) 

Monday, July 02, 2007 10 :52 AM 

f SE HFBn 

, KSEKF Bn;!^ 

(FBI VI l( DTrn (FBI) 


b6 

b7C 


(SE) (FBI); 



(SE) 


b2 

b7E 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


I spoke withj of our office on this issue. We agree that you probably should get a search warrant In order to b 7 c 

conduct this investigation . It is just not well settled in the law that we can rely on the trespasser exception to the search 
requirement. I'm told that | j has a pony fo r an affidavit for a situatio n such as this. It needs to be fairly detailed 

as to what we are going to do. I have copie d I on this response. It was a l \ ~~1 1 [can b2 

refresh your memory if you don't know the one I am referring to. b7E 


Assistant General Counsel 
Scienc e and Technolog y Law Unit 
Phoned I 

Cell phone d I 

Secure phone:L j 

i 


b 6 

b7C 

b2 


— Original Message — 

From: I 


From: I T SE) (FBI) 

Sent: Monday. June 25. 20 07 11:53 AM 

To: J . ^J(Q Q (Fm 

Cc: I Rsh (FBIV.l 

Subject: RE j [ 

SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


b6 

b7C 


[SE) (FBI); 


[SE) (FBI) 


b2 

b7E 


I- Hoping to hear a decision s< 


ianKs tor an your neip. 


[Fax) 

Nextel) DC: 


be 

b7C 

b2 


— Orig inal Message 

From: I I fO C) (FBI) 

Sent: Monday, June 25, 2007 7:55 AM 

To: J J (5E) (FBI) 

Subject ^ | 

SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


DATE: 02-24-2009 

CLASSIFIED BY 60322UC/LP/STP/g)g 
REASON: 1.4 (C) 

DECLASSIFY ON: 02-24-2034 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 


b2 

b7E 


S 



b7C 



resrr ressrcsr csy ms b&uns. a colleague recency raissa ms semerfoegfisn wmra uuj attorney imns'cnmmsi 
Division. The response was that they didn't have a written position on it, but they did think it would reduce the 
litigation risks associated with this type of action. Not a very good response. The attorney did mention that there 
is a pending case in the Eastern District of California that may answer this question, but who knows when that will 
be decided. There are two people I want to discuss this with, but they are both out this week. I'm afraid this is all I 
can tell you for now, but I will keep working it. 


Assistant General Counsel 
Scienc e* and Technolog y Law Unit 
Phone ] 

Secure phonal 

Fax ] 



b6 

b7C 

b2 


SENSITIVE BUT UNCLASSIFIED 


SENSITIVE BUT UNCLASSIFIED 


SENSITIVE BUT UNCLASSIFIED 
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AFFIDAVIT 


2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 

26 

27 

28 


STATE OF WASHINGTON ) 

} ss* 

COUNTY OF KING ) 

Norman B. Sanders Jr., being duly sworn on oath, deposes and says: 

1. I am a Special Agent for the Federal Bureau of Investigation ("FBI"), and 
have been such for the past five years. Prior to becoming a Special Agent, I was 
employed by the FBI as a Computer Forensic Examiner, for six and one-half years. I 
am currently assigned to the Seattle Office’s Cyber Crime Squad, which investigates 
various computer, and Internet-related federal crimes. 

2. My experience as an FBI Agent has included the investigation of cases 
involving Computer Intrusions, Extortion, Internet Fraud, Identity Theft, Crimes 
Against Children, Intellectual Property Rights, and other federal violations involving 
computers and the Internet. I have also received specialized training and gained 
experience in interviewing and interrogation techniques, arrest procedures, search 
warrant applications, the execution of searches and seizures, cyber crimes computer 
evidence identification, computer evidence seizure and forensic processing, and various 
other criminal laws and procedures. I have personally participated in the execution of 
arrest warrants and search warrants involving the search and seizure of computers and 
electronic evidence, as well as paper documents and personal belongings. 

3. I am an investigative or law enforcement officer of the United States 
within the meaning of Section 2510(7) of Title 18, United States Code, in that I am 
empowered by law to conduct investigations and to make arrests for federal felony 
offenses. 

4. Relative to this investigation, my duties include the investigation of 
offenses including violations of Title 18, United States Code, Sections 875(c) (Interstate 
Transmission of Communication Containing Threat to Injure), and 1030(a)(5)(A)(i) and 

Affidavit of Norm Sanders for CIPAV 
USAO# 2007R00791 
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(B)(iv) (Computer Intrusion Causing a Threat to Public Safety). 

5. I submit this affidavit in support of the application of the United States for 
a search warrant. This search warrant pertains to the Government’s planned use of a 
specialized technique in a pending criminal investigation. Essentially, if a warrant is 
approved, a communication will be sent to the computer(s) being used to administer 
www.myspace.com 1 ("MySpace") user account "Timberlinebombinfo". 

The communication to be sent is designed to cause the above referenced 
computer(s) to transmit data, in response, that will identify the computer(s) and/or the 
user(s) of the computer(s). In this manner, the FBI may be able to identify the 
computer(s) and/or user of the computer(s) that are involved in committing criminal 
violations of United States Code 2 ; specifically. Title 18, United States Code, Sections 
875(c) (Interstate Transmission of Communication Containing Threat to Injure), and 
1030(a)(5)(A)(i) and (B)(iv) (Computer Intrusion Causing a Threat to Public Safety). 

More specifically, the United States is applying for a search warrant authorizing: 

a). the use of a Computer & Internet Protocol Address 3 ("IP address") 


MySpace is a international free service that uses the Internet for online communication through 
an interactive social network of photos, videos, weblogs, user profiles, blogs, e-mail, instant 
messaging, web forums, and groups, as well as other media formats. MySpace users are capable of 
customizing their user webpage and profile. Users are also capable of searching or browsing other 
MySpace webpages and adding other users as "friends". If the person identified approves your 
"friend” request, he or she wilt be added to your list of friends. Users are capable of sending MySpace 
messages and posting comments on other user’s MySpace webpages. 

2 In submitting this request, the Government respectfully does not concede that a reasonable 
expectation of privacy exists in the internet protocol address assigned by a network service provider or 
other provider to a specific user and used to address and route electronic communications to and from 
that user. Nor does the government concede that a reasonable expectation of privacy is abridged by the 
use of this communication technique, or that the use of this technique to collect a computer’s IP 
address, MAC address or other variables that are broadcast by the computer whenever it is connected 
to the Internet, constitutes a search or seizure. 

' Conceptually, IP addresses are similar to telephone numbers, in that they are used to identify 
computers that exchange information over the Internet. An IP address is a unique numeric address 
used to direct information over the Internet and is a series of four numbers, each in the range 0-255, 
separated by periods (e.g., 121.56.97.178). In general, information sent over the Internet must 
contain an originating IP address and a destination IP address, which identify the computers sending 

Affidavit of Norm Sanders for CIPAV 
US AO# 2007RQ0791 
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Verifier ("CIPAV") in conjunction with any computer that administers MySpace user 
account "Timberlinebombinfo" (http ://www .mvspace.com/ timherlinebombinftfi , 
without prior announcement within ten days from the date this Court authorizes the use 
of the CIPAV; 
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b) . that the CIPAV may cause any computer - wherever located - that 

activates any CIPAV authorized by this Court (an "activating computer") to send 
network level messages 4 containing the activating computer’s IP address and/or MAC 
address , 5 other environment variables, and certain registry-type information 6 to a 
computer controlled by the FBI; 

c) . that the FBI may receive and read within ten days from the date 

this Court authorizes the use of the CIPAV, at any time of day or night, the information 
that any CIPAV causes to be sent to the computer controlled by the FBI; and 


and receiving the information. Section 216 of the USA Patriot Act (P.L. 107-56) amended 18 U.S.C. 
§§3121 et seq to specifically authorize the recovery of "addressing" and "routing" information of 
electronic As used here, a network-level message refers to an exchange of technical information 
between computers, communications by a pen register/trap & trace order. 


Such messages work in established network protocols, determining, for example, how a given 
communication will be sent and received. Every time a computer connected to a local area network 
(LAN) or to the Internet connects to another computer on the LAN or the Internet, it broadcasts 
network-level messages, including its IP address, and/or media access control (MAC) address, and/or 
other "environment variables.” A MAC address is an unique numeric address of the network interface 
card in a computer. Environment variables that may be transmitted include: operating system type and 
version, browser type and version, the language the browser is using, etc. These network-level 
messages also often convey network addressing information, including origin and destination 
information. Network-level messages are used to make networks operate properly, transparently, and 
consistently. 


Computers that access, and communicate on LANs do so via a network interface card (NIC) 
installed in the computer. The NIC is a hardware device and every NIC contains its own unique MAC 
address. Every time a computer connected to a LAN communicates on the LAN, the computer 
broadcasts its MAC address. 

As used here, "registry-type information" refers to information stored on the internal hard drive 
of a computer that defines that computer’s configuration as it relates to a user’s profile. This 
information includes, for example, the name of the registered owner of the computer and the serial 
number of the operating system software installed. Registry information can be provided by a 
computer connected to the Internet, for example, when that computer connects to the Internet to request 
a software upgrade from its software vendor. 

Affidavit of Norm Sanders for CIPAV 
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d). that, pursuant to 18 U.S.C. §3103a(b)(3), to satisfy the notification 
requirement of Federal Rule of Criminal Procedure 41(f)(3), the FBI may delay 
providing a copy of the search warrant and the receipt for any property taken until no 
more than thirty (30) days after such time as the name and location of the owner or user 
of the activating computer is positively identified or a latter date as the court may, for 
good cause shown, authorize. Provision of a copy of the search warrant and receipt 
may, in addition to any other methods allowed by law, be effectuated by electronic 
delivery of true and accurate electronic copies (e.g. Adobe PDF file) of the fully 
executed documents. 

6. Iam thoroughly familiar with the information contained in this Affidavit, 
which I have learned through investigation conducted with other law enforcement 
officers, review of documents, and discussions with computer experts. Because this an 
application for a search warrant and pen register, not every fact known about the 
investigation is set forth, but only those that are pertinent to the application. As a result 
of the investigation, I submit there is probable cause to believe the MySpace 
"Timberlinebombinfo" account, e-mail account "dougbriggsl23@gmail.com": e-mail 
account "dougbrigs@gmail.com ": e-mail account "dougbriggs234@gmail.com": e-mail 
account " thisisfromitalv@gmail .com" : and e-mail account 

"timberline.sucks@gmail.com " have been used to transmit interstate communications 
containing threats to injure and involve computer intrusion causing a threat to public 
safety in violation of Title 18, United States Code, Sections 875(c) and 1030(a) (5) (A) (i) 
and (B)(iv). I further submit that there is probable cause to believe that using a CIPAV 
in conjunction with the target MySpace account (Timberlinebombinfo) will assist in 
identifying the individual(s) using the activating computer to commit these violations of 
the United States Code. 

7. In general, a CIPAV utilizes standard Internet computer commands 
commonly used commercially over local area networks (LANs) and the Internet to 
request that an activating computer respond to the CIPAV by sending network level 
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messages, and/or other variables, and/or registry information, over the Internet 7 to a 
computer controlled by the FBI. The exact nature of these commands, processes, 
capabilities, and their configuration is classified as a law enforcement sensitive 
investigative technique, the disclosure of which would likely jeopardize other on-going 
investigations and/or future use of the technique. As such, the property to be accessed 
by the CIPAV request is the portion of the activating computer that contains 
environmental variables and/or certain registry-type information; such as the 
computer’s true assigned IP address, MAC address, open communication ports, list of 
running programs, operating system (type, version, and serial number), internet 
browser and version, language encoding, registered computer name, registered 
company name, current logged in user name, and Uniform Resource Locator (URL) 
that the target computer was previously connected to. 

8. An Internet Service Provider (ISP) normally controls a range of several 
hundred (or even thousands) IP addresses, which it uses to identify its customers’ 
computers. IP addresses are usually assigned ’’dynamically": each time the user 
connects to the Internet, the customer's computer is randomly assigned one of the 
available IP addresses controlled by the ISP. The customer's computer retains that IP 
address until the user disconnects, and the IP address cannot be assigned to another 
user during that period. Once the user disconnects, however, that IP address becomes 
available to other customers who connect thereafter. ISP business customers will 
commonly have a permanent, 24-hour Internet connection to which a "static" (i.e., 
fixed) IP address is assigned. Practices for assigning IP addresses to Internet users 
vary, with many providers assigning semi-persistent numbers that may be allocated to a 
single user for a period of days or weeks. 


The “Internet" is a global computer network, which electronically connects computers and 
allows communications and transfers of data and information across state and national boundaries. To 
gain access to the Internet, an individual utilizes an Internet Service Provider (ISP). These ISP's are 
available worldwide. 
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9. Every time a computer accesses the Internet and connects to a web site, 
that computer broadcasts its IP address along with other environment variables. 
Environment variables, such as what language the user is communicating in, allows the 
web site to communicate back and display information in a format that the computer 
accessing the web site can understand. These environment variables, including but not 
limited to, the IP address and the language used by the computer, may assist in locating 
the computer, as well as provide information that may help identify the user of the 
computer. 

10. The hard drives of some computers contain registry-type information. A 
registry contains, among other things, information about what operating system 
software and version is installed, the product serial number of that software, and the 
name of the registered user of the computer. Sometimes when a computer accesses the 
Internet and connects to a software vendor's web site for the purpose of obtaining a 
software upgrade, the web site retrieves the computer's registry information stored on 
its internal hard drive. The registry information assists the software vendor in 
determining if that computer is running, among other information, a legitimate copy of 
their software because the registry information contains the software’s product 
registration number. Registry information, such as the serial nu m ber of the operating 
system software and the computer's registered owner, may assist in locating the 
computer and identifying its user(s). 

THE INVESTIGATION 

11. On May 30, 2007, a handwritten note was discovered on the premises of 
the Timberline High School in Lacey, Washington. Subsequently, school 
administrators ordered an evacuation of the students based on the handwritten bomb 
threat note. 


a). On June 4, 2007, Timberline High School received a bomb threat 
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e-mail from sender: ’' dougbriggsl23@gmail.com". The Unknown Subject(s) (UNSUB) 
stated in the e-mail "I will be blowing up your school Monday, June 4, 2007. There 
are 4 bombs planted throughout timberline high school. One in the math hall, library 
hall, main office and one portable. The bombs will go off in 5 minute intervals at 9: 15 
AM." In addition, the UNSUB(s) stated, "The email server of your district will be 
offline starting at 8:45 am". The UNSUB(s) launched a Denial-of-Service (DOS) 8 
attack on the Lacey School District computer network, which caused over 24,000,000 
hits on the system within a 24 hour period. School administrators ordered an 
evacuation of the school on June 4, 2007. 


b). On June 5, 2007, the UNSUB(s) sent an e-mail from 
" dougbrigs@gmail . com " stating the following: 

< <Read This ASAP> > 

Now that the school is scared from yesturdays fake bomb threat 
it’s now time to get serious. One in a gym locker, the girls. It’s 
in a locker hidden under a pile of clothes. The other four I will 
only say the general location. One in the Language Hall, One in 
the mam hall, One underneath a portable taped with strong 
ducktape. This bomb will go oft if any vibrations are felt. And 
me last one. Is in a locker. It is enclosed in a soundproof package, 
and litteraly undetectable. I have used a variety of chemicals to 
make the bombs. They are all different kinds. 

They will all go off at 10:15AM. Through remote detonation. 
Good Luck. And if that fails, a failsafe of 5 mmutes later. 

The UNSUB(s) goes on to state: 

Oh and for the police officers and technology idiots at 
me district office trying to track mis email and yesturdays email’s 
location. I can give you a hint. The email was sent over a newly made 
gmail account, from overseas in a foreign country. The gmail account 
was created mere, and mis email and yesturdays was sent from mere. 
So good luck talking with Italy about getting me identify of me person 
who owns me 100 Mbit dedicated server 


A DOS attack is an Internet based computer attack in which a compromised system attacks a 
single target, thereby causing a denial of service for users of the targeted computer system. The flood 
of incoming messages to the target system essentially forces it to shut down, thereby denying service to 
the system to legitimate users. The DOS attack is generally targeted at a particular network service, 
such as e-mail or web access. 
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c) . In another email from sender ''dougbriggs234@gmail.com" 

the UNSUB(s) states the following: 

Hello Again. Seeing as how you’re too stupid to trace the email back 
lets get serious. " [The UNSUB(s) mentions 6 bombs set to detonate 
between 10:45-11:15 AM, and adds] Seriously, you are not going to catch 
me. So just give up. Maybe you should hire Bill Gates to tell you that it 
is coming from Italy. HAHAHA Oh wait I already told you that. So stop 
pretending to be "tracing it” because I have already told you it’s coming 
from Italy. That is where trace will stop so just stop trymg. Oh and this 
email will be behind a proxy behind the Italy server. 

d) . School administrators ordered an evacuation of the school on June 

5, 2007. 

e) . On June 6, 2007, Principle Dave Lehnis of Timberline High 

School received an e-mail from sender: "dougbriggs91 1 @gmail .com ” . The e-mail 
contained the following text: "ENJOY YOUR LIFE ENDING". 


f). In another e-mail from "dougbriggs911@gmail.com." the 
UNSUB(s) states the following, 

Well hello Timberline, today is June 6, 2007 and I"M just emailing you 
today to say that school will blow up and that’s final! There are 2 bombs this time 
(Iran short on money to buy things at home depot). They will go off at exactly 10:45:00 
AM. One is on located on a portable. And the other is somewhere else. Keep trying 
to ‘trace’ this email. The only thing you will be able to track is that it came from 
Italy. There is no other information that leads it back to the United States in any way 
so get over it. 

You should hire Bill Gates to track it for you. HAHAHAHA. He will just tell you that 
it came from over seas, so if you have close relations with the POPE you might get 
some information. But other than that, have fun looking in Italy. :-) 

Also, stop advising teachers to no show this email to classmates. Everyone would be 
ammusea by this email and I might stop if you do. Funny how I can trick you all into 
thinking that I included my name to show that it isn’t me, because who the hell would 
put their name? Or is that just what I want you to think. 

And yet again, this email was sent from overseas to a newly made email account that 
has 

already been deleted of all information by the time you read this email. Get your ass 
on a plane to Italy if you want it to stop. ' 

g) . School administrators ordered an evacuation fo the school on June 

6, 2007 

h) . On June 7, 2007, Timberline High School received an e-mail from 

sender "thisisfromitalv@gmail.com. " The UNSUB(s) states "There 
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are 

have 

but 


3 bombs planted in the school and they’re all different kinds. I 
premade these weeks in advance and tested the timers to make sure 
they work to exact millisecond. Locking the doors is a good plan, 
too late." 


i). School administrators ordered an evacuation of the school on June 
7, 2007. 



service, 
removed 
UNSUB(s) re- 
administrator of 


On June 7, 2007, the UNSUB(s) posted three of the threatening e- 
mails in the comments section of the online news publication 

"theolympian". The administrator from "theolympian.com" 
the threatening e-mail postings. Shortly thereafter, the 

posted the threatening e-mails. Eventually, the 
"theolympian.com" disabled the "Comments" section. 


k) . On June 7, 2007, Detective Jeremy Knight, Lacey Police 

Department (LPD), received information from the Thurston County Sheriffs Office, 
which had revealed a complaint from a person identified as AG. AG stated that she 
received an invitation through myspace.com from the MySpace profile of 
"Timberlinebombinfo" wanting her to post a URL link to 
http://bombermails .hvperphp . com on her myspace.com webpage. The UNSUB(s) 
advised her that failure to comply would result in her name being associated with future 
bomb threats. Similarly, Knight received a phone call from a parent alleging that her 
son received the same request from the UNSUB(s). According to Knight, 33 students 
received a request from the UNSUB(s) to post the link on their respective myspace.com 
webpages. Subsequent interviews performed by Knight yielded limited information. 

l) . On June 7, 2007, VW and BP received MySpace private invitations 
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from an individual utilizing the MySpace moniker "Timberlinebombinfo". VW 
accepted the invitation from "Timberlinebombinfo" and received an America Online 
Instant Message (AIM) from an individual utilizing AIM screen name 
"Alexspi3ring_09." Communication ceased with "Alexspi3ring_09" after VW requested 
additional information related to the bomb threats. VW believed screen name 
"Alexspi3ring_09” was associated to ALEX SPIERING, a student at Timberline High 
School. VW stated "Alexspi3ring_09" and "Timberlinebombinfo" used to have the 
identical graphic on their MySpace webpage. "Timberlinebombinfo" recently changed 
his/her graphic from a picture of guns to a picture of a bomb. 

m) . On June 7, 2007, Thurston County School District reported ALEX 

SPIERING resides at 6133 Winnwood Loop SE, Olympia, WA, 98513, telephone (360) 
455-0569, date of birth February 6, 1991. 

n) . On June 8, 2007, Comcast Internet, Thorofare, New Jersey, 

reported residential address 6133 Winnwood Loop SE, Olympia, WA, 98513 received 
Comcast Internet services for the following subscriber: 

Sara Spiering 

6133 Winnwood Loop SE, Lacey, WA 98513 
Telephone (360) 455-0569 
Dynamically Assigned Active Account 
Account Number: 8498380070269681 

o) . On June 8, 2007, Thurston County School District received two 

additional bomb threat e-mails from "Timberline.Sucks@gmail.com.” which resulted in 

J 

the evacuation of the Timberline High School. 

12. On June 4, 2007, Google provided subscriber, registration, and IP Address 
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log history for e-mail address "dougbriggsl23@gmail.com" with the following results: 
Status: Enabled (user deleted account) 

Services: Talk, Search History, Gmail 
Name: Doug Briggs 
Secondary Email: 

Created on: 03-Jun-2007 

Lang: en 

IP: 80.76.80.103 


LOGS: All times are displayed in UTC/GMT 
dougbriggsl23@gmail.com 
Date/Time IP 

04-Jun-2007 05 :47:29 am 81 .27.207.243 

04-Jun-2007 05:43:14 am 80.76.80.103 

03-Jun-2007 06: 19:44 am 80.76.80. 103 


a). On June 6, 2007, a SmartWhoIs lookup of IP Address 80.76.80. 103 
resolved to Sonic S.R.L, Via S.Rocco 1, 24064, Grumello Del Monte, Italy, 

Phone: +390354491296, E-mail: Staff@sonic.it. Your affiant connected to 
http://sonic.it, which displayed an Italian business webpage for Sonic SRL Internet 
Service Provider. 


b). On June 7, 2007, a request to MySpace for subscriber and IP 
Address logs for MySpace user "Timberlinebombinfo" provided the following results: 
User ID: 199219316 


First Name: 
Last Name: 
Gender: 

Date of Birth: 


Doug 

Briggs 

Male 

12/10/1992 
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Age: 

2 Country: US 

3 City: Lacey 

4 Postal Code: 985003 

5 Region: Western Australia 

6 Email Address: timberline.sucks@gmail.com 

7 User Name: timberlinebombinfo 

8 Sign up IP Address: 80.76.80.103 

9 Sign up Date: June 7, 2007 7:49PM 

10 Delete Date: N/A 

n Login Date June 7, 2007 7:49:32:247 PM IP Address 80.76.80.103 

12 

13 c). FBI Seattle Division contacted FBI Legate Attache Rome, Italy and 

14 an official request was provided to the Italian National Police requesting assistance in 

15 contacting Sonic SRL and locating the compromised computer utilizing IP Address 

16 80.76.80.103. 

17 

18 d). On June 7, 2007, the System Administrator for the 

19 www.theolvmpian.com advised the posting of the bomb threat e-mails originated 

20 from IP Address 192.135.29.30. A SmartWhois lookup resolved 192.135.29.30 

21 to "The National Institute of Nuclear Physics (INFN), LNL - Laboratori 

22 Nazionali di Legnaro, Italy”. 

23 

24 13. Based on my training, experience, and the investigation described herein, I 

25 know the following among other things: 

26 e). that network level messages, including the originating IP address 

27 and MAC address, other variables, and certain registry-type information of a computer 

28 can be used to assist in identifying the individual(s) using that computer; and 
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f). the individual(s) using the aforementioned activated computer 
utilized compromised computers to conceal their true originating IP address and thereby 
intentionally inhibiting the individual(s)' identification. Compromised computers are 

' P 

generally infected with computer viruses, trojans, or other malevolent programs, which 
can allow a user the ability to control computers) on the Internet or particular services 
of compromised computer(s) without authorization. It is common for individuals 
engaged in illegal activity to access and control compromised computer(s) to perform 
malicious acts in order to conceal their originating IP addresses. 

14. Based on training, experience, and the investigation described herein, I 
have concluded that using a CIPAV on the target MySpace Timberlinebombinfo account 
may assist the FBI to determine the identities of the individual(s) using the activating 
computer. A CIPAV ’s activation will cause the activating computer to send network 
level messages, including the activating computer’s originating IP address and MAC 
address, other variables, and certain registry-type information. This information may 
assist the FBI in identifying the individual(s) using the activating computers. 

15. The CIPAV will be deployed through an electronic messaging program from 
an account controlled by the FBI. The computers sending and receiving the CIPAV data 
will be machines controlled by the FBI. The electronic message deploying the CIPAV 
will only be directed to the administrators) of the Timberlinebombinfo account. 

a) . Electronic messaging accounts commonly require a unique user 

name and password. 

b) . Once the CIPAV is successfully deployed, it will conduct a one- 

time search of the activating computer and capture the information 
described in paragraph seven. 

c) . The captured information will be forwarded to a computer 

controlled by the FBI located within the Eastern District of 
Virginia. 

d) . After the one-time search, the CIPAV will Junction as a pen register 
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device and record the routing and destination addressing information 
for electronic communications originating from the activating 
computer. 

e). The pen register will record IP address, dates, and times of the 
electronic communications, but not the contents of such 
communications or the contents contained on the computer, and 
forward the IP address data to a computer controlled by the 
FBI, for a period of (60) days. 

CONCLUSION 

16. Based upon my review of the evidence, my training and experience, and 
information I have gathered from various computer experts, I have probable cause to 
believe that deploying a CIPAV in an electronic message directed to the administrator(s) 
of the MySpace Timberlinebombinfo account will assist in identifying a computer and 
individual(s) using the computer to transmit bomb threats and related communications in 
violation of Title 18, United States Code Sections 875(c) and 1030(a)(5)(A)(i) and 
(B)(iv). 

17. Because notice as required by Federal Rule of Criminal Procedure 
41(f)(3) would jeopardize the success of the investigation, and because the investigation 
has not identified an appropriate person to whom such notice can be given, I hereby 
request authorization to delay such notice until an appropriate person is identified. 
Further, assuming providing notice would still jeopardize the investigation after an 
appropriate person to receive notice is identified, I request permission to ask this Court 
to authorize an additional delay in notification. In any event, the United States 
government will notify this Court when it identifies an appropriate person to whom to 
give notice, so that this Court may determine whether notice shall be given at that time. 

18. Because there are legitimate law enforcement interests that justify an 

unannounced use of the CIPAV and review of the messages generated by the activating 
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computer in this case, 9 1 ask this Court to authorize the proposed use of a CIPAV 

2 without the prior announcement of its use. One of these legitimate law enforcement 

3 interests is that announcing the use of the CIPAV would assist a person controlling the 

4 activating computer(s) to evade revealing its true IP address, other variables, and 

5 certain registry-type information - thereby defeating the CIPAV’s purpose. 

6 19. Rule 41(e)(2) requires that (A) the warrant command the FBI "to execute 

7 the warrant within a specified time no longer than 10 days" and (B) "execute the warrant 

8 during the daytime unless the judge for good cause expressly authorizes execution at 

9 another time. . . " In order to comply with Rule 41 , the Government will only deploy 
to CIPAV between the hours of 6:00 a.m. and 10:00 p.m. (PST) during an initial 10-day 

1 1 period. However, the Government seeks permission to read any messages generated by 

12 the activating computer as a result of a CIPAV at any time of day or night during the 

13 initial 10-day period. This is because the individuals using the activating computer(s) 

14 may activate the CIPAV after 10:00 p.m. or before 6:00 a.m., and law enforcement 

15 would seek to read the information it receives as soon as it is aware of the CIPAV 

16 response given the emergent nature of this investigation. If the CIPAV is not activated 

17 within the initial 10-day period, the Government will seek further authorization from the 

18 Court to read any information sent to the computer controlled by the FBI as a result of 

19 that CIPAV after the 10 th day from the date the Court authorizes the use of the first 

20 CIPAV. 

21 20. Because the FBI cannot predict whether any particular formulation of a 

22 CIPAV to be used will cause a person(s) controlling the activating computers to activate 

23 a CIPAV, I request that this Court authorize the FBI to use multiple CIPAV’s in 

24 conjunction with the target MySpace account within 10 days of this Court authorizing 

25 the use of the first CIPAV. 

26 

27 9 See Wilson v. Arkansas . 514 U.S. 927. 936 (1995) (recognizing that "law enforcement 

28 interests may , . . establish the reasonableness of an unannounced entry. ") 
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21. Accordingly, it is respectfully requested that this Court issue a search 
warrant authorizing the following: 

e) . the use of multiple CIPAVs in conjunction with the target MySpace 

Timberlinebombinfo account, without prior announcement, within 10 days from the date 
this Court authorizes the use of the first CIPAV; 

f) . the CIPAV may cause an activating computer - wherever located - 

to send network level messages containing the activating computer’s IP address, and/or 
MAC address, and/or other variables, and/or certain registry-type information to a 
computer controlled by the FBI and located within the Eastern District of [Virginia]; 

g) . that the FBI may receive and read, at any time of day or night, 

within 10 days from the date the Court authorizes of use of the CIPAV, the information 
that any CIPAV causes to be sent to the computer controlled by the FBI; and 

h) . that, pursuant to 18 U.S.C. §3103a(b)(3), to satisfy the notification 

requirement of Federal Rule of Criminal Procedure 41(f)(3), the FBI may delay 
providing a copy of the search warrant and the receipt for any property taken until no 
more than thirty (30) days after such time as the name and location of the individual(s) 
using the activating computer(s) is positively identified or a latter date as the court may, 
for good cause shown, authorize. Provision of a copy of the search warrant and receipt 
may, in addition to any other methods allowed by law, be effectuated by electronic 
delivery of true and accurate electronic copies (e.g. Adobe PDF file) of the fully 
executed documents. 

22. It is further requested that this Application and the related documents be 

' 

filed under seal. The information to be obtained is relevant to an on-going investigation. 
Premature disclosure of this Application and related documents may jeopardize the 
success of the above-described investigation. 

WHEREFORE, Affiant respectfully requests that a warrant be issued authorizing 

the FBI to utilize a CIPAV and receive the attendant information according to the terms 

set forth in this Affidavit. 
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THIS APPLICATION DOES NOT SEEK AUTHORIZATION TO OBTAIN 
THE CONTENT OF ANY ELECTRONIC COMMUNICATIONS, AND THE 
WARRANT WILL SO SPECIFY. 


3 


4 


5 

6 


Sworn to and subscribed before 
me this day of June, 2007 


7 


Norman B. Sanders 
Special Agent 

Federal Bureau of Investigation 


8 

9 

10 

11 

12 


Hon. James P. Donohue 
United States Magistrate Judge 


13 

14 
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to 6 
blC 


](OTD) (FBI) 


From: 

Sent: 

To: 

Cc: 

Subject: 


](OTD) (FBI) 


1 IfOTDI 

(FBI! 

1 (OTD) (FBI): 

l(OTD) (FBI) 

FW: Traveler Program 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


I 1 1 talked ta I about this program, expla ining that you would be discussing! 


coverag e - what I took to mean CIPAV and RASS --{ 


l said that they were looking to evolv e this into more aggre ssive 


] 


]. I told her that we an 


should be kept on the ECs as "read and clear" for the time being. 


— Original Mess age — 

From: [ ” 

Sent: 

To: 

Cc: 


b6 

b7C 


E 




](CyD) (FBI) 
17 9:2S AM 


Subject: 


(FBljT 


[OTD) (FBI) . 
[OTD) (FBI); 
(CyD) (FBI) 


RE: Traveler Program 


IjOTD) (FBI);[ 
J(CyD) (FBI) 


b2 

b7E 


](CyD) (FBI);[ 


ICyD) 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


Please give me a call when you get a chance ij |sTAO). The Computer Intrusion Section, National Cyber 

Investigative Joint Task Force (NCIJTF), Investigative Operations Group (IOG), is in the process of formulating a 
"standardized" Traveler Program for implementation by FBI Field Divisions in coordination with our Intelligence Community 
Partners. Topics, such as the scope of assessment, number and make/model of the laptops, as well as the projected turn 
around time needs to be established with those supporting the technical side of the house. 

My past experience working these types of operations (through the Honolulu Div ision) develo ped some basel ine 
assessment wh ereby the following technica l personnel assisted: | [O TD, CEAU; ) I SOSU; 

I I SPTU; and ! K former Program Manager). The NCIJTF is working closely with the WFO- 

NVRA, CR-1 6, in establishing their traveler operation(s). 


I look forward to speaking with you. 


DET T earn Lead 


ST AO) 


SSA| 

CyD/CIS/C3IU- 
NCIJTF / PRC- 


-Original Messaae- 


From: 

Sent: 

To: 

Cc: 

Subject: 


Wednesday. June 2Q. 


Traveler Program 


_](OTD) (FBI) 
.007 12:04 PM 
iCyD) (FBI) 
_J(OTD) (FBI)j 


i 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


](OTD) (FBI) 


to 6 

b7C 

b2 


Hi. I 1 

This is in furtherance of the voice message I left for you this morning. As I understand it, you're managing the Traveler 


AIL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 09-29-2008 BY 6Q322UC/LP/3TP/gj g 




* 


Program whereby, please correct me If wrong, laptops of our overseas traveling personnel are assessed for 
compromise. STAO’s Investigative Analysis Unit is discussing technical support of the program with my unit. Can you 
characterize the number of laptops and other specimens needing such assessments, the scope of the assessment 
(i.e, do you want complete hardware, firmware, BIOS, and OS check on each specimen), and the expected turnaround 
time? 

Thank you, 


SSA[ 


] 


Secure Technologies Exploitation Group 
Cryptologic and Electronic Analysis Unit (CEAU) 
Electronic Surveillance Technology Section 
Operational Technology Division 
ERF Extension 

Quantico. VA 

tel: | {unsecure) 

{unsecure) 

’secure) 

(secure) 



b2 

b6 

b7C 


SENSITIVE BUT UNCLASSIFIED 


SENSITIVE BUT UNCLASSIFIED 


SENSITIVE BUT UNCLASSIFIED 


2 



I ~1(0TD) (FBI) 


From: 

Sent: 

To: 

Subject: 


1 | (OTD) (FBI) 

Wednesday. June 2 0. 2007 9:58 AM 
I ~k OTD) (FBI); | 

A. (OS) (FBI) 

NIP Request for Quarter 3 - DUE COB Thrsday 06/21 


](OS) (FBI);[ 


b6 

b7C 



SECRET 
Record ^2-q 


[ 


Please provide me the number of successful ops and unsuccessful ops (penetrations) we have had in the month of April, 
May, and June. ' b2 


So. . .if we attempted to penetrate a target computer 
of successes/failures. 

I need by COB Thursday. Thanks! 


I need number of attempts and number 

bS 
blC 


b7E 


DERIVED FROM: G-3 FBI Classification Guide G-3. dated 1/97, Cr%r gjf| n rQ Mfttedntellicierice"lnvestigations 
DECLASSIFICATION EX EMPTION 
SECRET 


DECLASSIFIED BY 60322UC/LPy3TP/gj g 
ON 09-29-2008 


1 




From: 

Sent: 

To: 

Subject: 


(OTP) (FBI) 

I ~l (OTD) (FB!) 

Tuasdav -Inna 13. 2007 S23 PM 

I k OTD) (FBI) 

RE: Reminder 


be 

blC 


UNCLASSIFIED 

NON-RECQRD 


All leads have been covered and cleared from ACS. 


Two of the leads, Detroit (315N-DE-94979) and New Orleans (288A-NO-71030) have been assessed and we are 
staging to conduct the operations. 

Phnoniv f j wac f-an^-ollpri hw *hp FO duo tnl 

1 1 covered the lead in-accordance with this information. 


b7A 

b2 


Cincinnati g I was comprised of information received from the FO following our deployment of a ° . 

CIPAV1 I * Y " | “ 

I is evaluating the received Information and once he has completed his b2 
evaluation, I will forward a response to the FO. As a side note, this is not high on the priority list as we are concentrating on b7E 
developing solutions for CT cases. 


The remaining leads from Sacramento and St. Louis consisted of read and clear leads. 


ssa[ 


] 


Operational Technology Division 
Digital Evidence Section 
Cryptologic and Electronic Analysis Unit 
Software Develo pment Group 

— [desk) 

cell) 

fax-unclass) 


b6 

b7C 

b2 


— Original Message — 

From: I K OTD) (FBI) 

Sent: Tuesday, June 19, 2007 12:55 PM 

To: I K OTD) (FBI); I ~V OTD) (FBI) 

Subject: Reminder 

UNCLASSIFIED 

NON-RECQRD 


Sorry to be a pain. But please let me know when you have had a chance to go through the leads so I can look at and 
have answers to remaining by Thursday. Thanks! 


UNCLASSIFIED 


UNCLASSIFIED ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 02-10-2009 BY 60322UC/LP/STPygjg 


1 



From: 

Sent: 

To: 

Subject: 


|{OTD) (FBI) 

Tuesday, June 19, 2007 3:19 PM 


FW: SAR Input 


b6 

b7C 


UNCLASSIFIED 

NON-RECORD 


Operational Technology Division 
Digital Evidence Section 
Cryptologic and Electronic Analysis Unit 
Software Develo pment Group 
(desk) 

(cell) 

Kfax-unciass) 


b6 

b7C 

b2 


— Original Messa< 

From: \ 


J(OTD) (FBI) 

Tuesday, June 19, 2007 12:20 PM 

f OTP) (FBI) 

SAR Input 


UNCLASSIFIED 

NON-RECORD 


:b6 

b7C 


Here is my SAR contribution for last week or this week. 

Unclass 

288E-SE-93709 

On 06/14/2007, CEAU/SDG in conjunction with the Seattle Division 
deployed a CIPAV to assist with the geophysical locating of a subject whom 
had issued numerous bomb threats and launched a DDOS attack against a local 
high school. The CIPAV provided information leading to the identity and 
arrest of a 15 year old male student from the victim high school who was 
taken into custody without incident at his home at approximately 2 A.M. 
this date. The minor confessed to issuing the bomb threats. Bomb threats 
dated this date were found on the minor's computer. The minor's computer 
equipment was seized and the arrest was made without incident. Following an 
interview with the minor, the LPD was able to clear another threat case, as 
the minor confessed to issuing telephone death threats to teachers and 
others, including his parents, earlier this year. 

On 06/08/2007, CEAU presented at the Cyber Online Undercover Course at 
Calverton RA. Topics addressed were cryptography, remote access search and 
surveillance, and the voice changer. 


l 

ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 09-29-2003 BY 6Q322UC/LP/STP/gjg 



0 


SSA l 

Operational Technology Division 
Digital Evidence Section 
Cryptologic and Electronic Analysis Unit 
Software Develo pment Group 
kdesk) 

(cell) 

(fax-unclass) 


b6 

b7C 

b2 


UNCLASSIFIED 


UNCLASSIFIED 


/ 


2 





From: 

Sent: 

To: 

Subject: 


[ OTP) (FBI) 
Tuesday, June 19, 2007 1:39 PM 

h OTD) (FBI) 

RE: SAR Input 


Importance: High 


he 

hi C 


UNCLASSIFIED 

NON-RECORD 


Case ID # needed. Also, assume case is U/FOUO? 


— Original Message — 

From: 1 | (OTD) (FBI) 

Sent: ^ESSSaS in™* iq 'xw 12:20 PM 

To: | l OTDi (FBI) 

Subject: SAR Input 

UNCLASSIFIED 
NON -RECORD 


b6 

b7C 


Here is my SAR contribution for last week or this week. 

On 06/14/2007, CEAU/SDG in conjunction with the Seattle Division 
deployed. a CIPAV to assist with the geophysical locating of a subject 
whom had issued numerous bomb threats and launched a DDOS attack against 
a local high school. The CIPAV provided information leading to the 
identity and arrest of a 15 year old male student from the victim high 
school who was taken into custody without incident at his home at 
approximately 2 A.M. this date. The minor confessed to issuing the bomb 
threats. Bomb threats dated this date were found on the minor's 
computer. The minor's computer equipment was seized and the arrest was 
made without incident. Following an interview with the minor, the LPD 
was able to clear another threat case, as the minor confessed to issuing 
telephone death threats to teachers and others, including his parents, 
earlier this year. 

On 06/08/2007, CEAU presented at the Cyber Online Undercover Course at 
Calverton RA. Topics addressed were cryptography, remote access search 
and surveillance, and the voice changer. 


SSiAj I 

Operational Technology Division 
Digital Evidence Section 
Cryptologic and Electronic Analysis Unit 
Software Develo pment Group 
(desk) 

(cell) 


l 

ALL INFORMATION C OBTAINED 

HERE III IS UNCLASSIFIED 

DATE 09-29-2008 BY 60322UC/LP/STF/gj 7 




J(OTD) (FBI) 
>007 1:28 PM 
OTD) (FBI) 


From: 

Sent: 

To: 

Subject: 



UNCLASSIFIED 

NON-RECORD 


be 

hie 


May want to change your signature line to ESTS vs. DES (I've made the same mistake). 
Regards. 


— Original 

From: 

Sent: 

To: 

Subject: 



UNCLASSIFIED 

NON-RECORD 


Here is my SAR contribution for last week or this week. 

On 06/14/2007, CEAU/SDG in conjunction with the Seattle Division 
deployed a CIPAV to assist with the geophysical locating of a subject 
whom had issued numerous bomb threats and launched a DDOS attack against 
a local high school. The CIPAV provided information leading to the 
identity and arrest of a 15 year old male student from the victim high 
school who was taken into custody without incident at his home at 
approximately 2 A.M. this date. The minor confessed to issuing the bomb 
threats. Bomb threats dated this date were found on the minor's 
computer. The minor's computer equipment was seized and the arrest was 
made without incident. Following an interview with the minor, the LPD 
was able to clear another threat case, as the minor confessed to issuing 
telephone death threats to teachers and others, including his parents, 
earlier this year. 

On 06/08/2007, CEAU presented at the Cyber Online Undercover Course at 
Calverton RA. Topics addressed were cryptography, remote access search 
and surveillance, and the voice changer. 


:b6 

b?C 


1 



Operational Technology Division 
Digital Evidence Section 
Cryptologic and Electronic Analysis Unit 


ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 09-29-2008 BY 60322UC/LP/STP/gj g 


Software Develo pment Grou 
[desk) 

cell) 

’fax-unclass 


tOTD) (FBI) 


From: 

Sent: 

To: 

Subject: 


[OTD) (FBI) 

Thursday. June 14. 200 7 7:48 PM 

k MO) (FBI) 

Affidavit of Cl PAV 


UNCLASSIFIED 

NON-RECORD 


b6 

blC 

b2 


.Sorry fnr thp riplav in npttinn this m if fr» vm i Attarhpd arp twn affidavits Onp wag i ispd in a Dinrinnati rasft tn 


out to me, call me on my ceil phone. 
Sincerely, 


Jhope they help, i will be out of the office tomorrow. If you need to reach 

IS) 


ss{ 


Operational Technology Division 
Digital Evidence Section 
Cryptologic and Electronic Analysis Unit 
Snfhirara Hawalippment Group 

(desk) 

(ceil) 

(fax-unclass) 



Web Bug Revised Affidavit 
\ffkJavitwpd (61 KB for Norm San... 


UNCLASSIFIED 


DATE: 02-24-2009 

CLASSIFIED BY 60322UC/LP/STP/gjg 

REASON: 1.4 (C) 

DECLASSIFY ON: 02-24-2034 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOOT OTHERWISE 





b6 

hIC 


(OTP) (FBI) 


From: 

Sent: 

To: 

Subject: 


l OTD) (FBI) 

Thursday. June 14. 2007 3^2 3 PM 

l (OTD) (FBI) 

Seattle Case Summary 


UNCLASSIFIED 

NON-RECORD 


Per your request, the following is a synopsis of the Seattle 
Division's investigation: 

On 06/06/2007, the Seattle Division was contacted by the Lacey Police 
Department (LPD) , Lacey, WA, regarding numerous bomb threats and DDOS 
attacks received at the Timberline School District, Lacey, WA. The threats 
began on 05/30/2007 and persisted through 06/04/2007. The threats 
necessitated the daily evacuation of Timberline High School. The LPD and 
the Washington State Patrol (WSP) performed school evacuations and bomb 
sweeps with negative results. Parents and school district employees 
informed local television stations and newspapers, which aired the story on 
June 6, 2007. As a result, the LPD requested investigative assistance from 
the Northwest Cyber Crime Task Force (NCCTF) headed by the Seattle 
Division. In turn, the Seattle Field Office requested assistance from the 
CEAU with geophysically locating the UNSUB. 

CEAU deployed a CIPAV to a MySpace account identified as possibly 
belonging to the UNSUB. The CIPAV returned several IP Addresses, one 
resolving back to Comcast Cable in Seattle, Washington. Subscriber 
information obtained from Comcast confirmed the suspicions of Law 
Enforcement and led to the issuing of a search warrant and arrest warrant, 

A 15 year old male student from Timberline High School was taken into 
custody without incident at his home at approximately 2 A.M. this date. The 
minor confessed to issuing the bomb threats. Bomb threats dated this date 
were found on the minor's computer. The minor's computer equipment was 
seized and the arrest was made without incident. Following an interview 
with the minor, the LPD was able to clear another threat case, as the minor 
confessed to issuing telephone death threats to teachers and others, 
including his parents, earlier this year. 


SSA j I 

Operational Technology Division 
Digital Evidence Section 

Cryptologic and Electronic Analysis Unit 
Software Develo pment Group 

(desk) 

(cell) 

(fax-unclass) 


ALL INFORMATION CONTAINED 

HEREIN 15 UNCLASSIFIED 

DATE 09-29-2008 BY 60322UC/LP/STP/gj g 


1 




(Rev. 01-31-2003) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/13/2007 

To: Operational Technology Division 


From: Operational Technology Division 

Electronic Surveillance Technology Section/ 
Cryptologic and Electronic Analysis Unit 


Contact: SSA 

Approved By: 


Drafted By: 


Case ID #: 


26 8-HQ-13 05912 -SDG 


be 

b7C 


Title: 


CRYPTOLOGIC ELECTRONIC ANALYSIS UNIT (CEAU) 
ASSISTANCE TO THE SEATTLE FIELD OFFICE 


Synopsis: Operations Order to assist the Seattle Field Office 

with effectuating remote delivery of a Computer Internet Protocol 
Address Verifier (CIPAV) to geophysically locate a subject who 
has issued multiple bomb threat against a local high school. 


Details: The Seattle Field Office has requested assistance from 

the CEAU with geophysically locating a subject engaged in issuing 
bomb threats via the Internet to Timberline High School, Lacey, 
Washington. The objective of the operation is to remotely deploy 
a CIPAV to geophysically locate the subject. 


BACKGROUND 

On 06/06/2007, the Seattle Division was contacted by 
Lacey Police Department (LPD) , Lacey, WA, regarding numerous bomb 
threats and DDOS attacks received at the Timberline School 
District, Lacey, WA. Below are a time-line of events: 

05/30/2007 - Timberline High School evacuation due to 
hand written bomb threat note. 


06/04/2007 - Timber l ine High School evacu ation due 


bomb threat email from sender: 


UNSUB (s) 


to 

also be 

b7C 


DATE: 02-24-2009 

CLASSIFIED BY 6G322UC/LP/STP/gj g 

REAS 0IJ: 1.4 (C) 

DECLASSIFY OH: 02-24-2034 


ALL INFGRKATIQN CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOOT OTHERWISE 




s 


T 


To: Operational Technology From: Operational Technology 

Re: 268 -HQ-1305912 -SDG, 06/13/2007 


advised a computer attack will hit the Lacey School District, 
which resulted in a DDOS attack totaling over 80,000,000 hits. 


06/05/2007 - Timber 1 ^ne_Jii-ah^.S-ChQ_Ql evacu ation due to 
bomb threat email from sender: 


b6 

b7C 


06/06/2007 - Timberlin^. 
bomb threat email from sender: 


n-i rr~h ouarnat-iAn due tO 


06/07/2007 - Timberline High School received additional 
email from UNSUB (s) . Details unknown at present time. 


LPD and the Washington State Patrol (WSP) continue to 
perform school evacuations and bomb sweeps with negative results. 
Parents and school district employees have informed local 
television stations and newspapers, which aired the story on June 
6, 2007. LPD has requested investigative assistance from the 
Northwest Cyber Crime Task Force. 


LPD has conducted numero ys thorough inte r views of a 
student at Timberline High School, 


appears not to be the subject responsible for bomb threats . 


fand teachers from Timberline High School provided a list 
ot otne r student s who may be responsible for the threats and DDO£k6 
attack, f I received a text me ssage, f roml 1 b7c 

DOBl ] FBI Nu mber! I on 06/03/2007, 


is described by teachers as 


advising "Keep your head up." j 

a self proclaimed computer hacker t hat routin ely bypasses the 
school computer security measures. | [ computer is in LPD 

custody and forensic results are pending. Initial interview of 
provided negative results. 


On 06/07/20 


fs 


Detective 


WSP, and SA 


Seattle Division, contacted AUSA Katheryn 


Warma, Western District of Washington, who agreed to prosecute 
captioned matter. 


bl 


(S) 


b6 

b7C 


s 


J 


2 








To: Operational Technology From: Operational Technology 

Re: 2 68 -HQ- 13 05912 -SDG, 06/13/2007 


CONCEPT OF THE OPERATION 

Deployment Operations Personnel (DOC) will deploy a 
CIPAV to geophysically locate the subject issuing bomb threats to 
the Timb 


in wyapace.com {a popular socia 


networking website) . 


(S) 

EXECUTION 


S : /DES/CEAU/Upload/Seattle0613kld07 .wpd 


secret 




From: 

Sent: 

To: 

Cc: 

Subject: 


(OTP) (FBI) 


l(OTD) (FBI) 

Tuesday, June 12, 2007 3 :03 PM 

K SE) (FBI) 
](OTD) (FBI) 


RE: Associated Press Article2 


b6 

b7C 


UNCLASSIFIED 

NON-RECORD 


b2 

b7E 


Let me know what you think 

J... 


[ 


Information Technology Specialist 
Operational Technology Division 

Office -I 

Mobile 
Pager \ 


b6 

b7C 


— Original Message — , 

From: I ~ r SEI (FBI) 

Sent: Tuesday. June 12. 2007 2:34 PM 

To: "I fOTP) (FBI) I t OTPI (CON);| lOTD) (FBI) 

Cc: T SE) (FBI) ! 1 SE) (OGA) 

Subject: FW: Associated Press Article 

UNCLASSIFIED 

NON-RECORD 


| ( - below is the news article we wou ld like to send co ntaining the CIPAV. I am meeting with the judge at 1 :30PST 

and hope to deploy afterwards. Thanks, ) 


b6 
b7C 

(Nextel)| I 


SAj 

FBI Seattle 


— Original Message — 

From: I l (SE) (FBI) 

Sent: Tuesday, June 12, 2007 11:18 AM 

To: I l (SE) (FBI) 

Subject: Associated Press Article 


1 

ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 09-29-2008 BY 60322UC/LP/STP/gjg 





UNCLASSIFIED 

NON-RECORD 


Here is the email link in the style of the Seattle Times 

> 

> 

> Bomb threat at high scbool downplayed by local police department 

> 

> Technology savvy student holds Timberline High School hostage.... 

> 

> Full story: 

http://seattletimes.nwsource.com/html/nationworld/200374323 1 webteensex 1 1 .html 

> 

> 

> : . : ===== — ===========^ ■ — - ■■ = 

> 

> TO SUBSCRIBE TO THE SEATTLE TIMES PRINT EDITION 

> Call (206) 464-2121 or 1-800-542-0820, or go to 

> http://seattletimes.com/subscribe 

> 

> HOW TO ADVERTISE WITH THE SEATTLE TIMES COMPANY ONLINE 

> For information on advertising in this e-mail newsletter, 

> or other online marketing platforms with The Seattle Times Company, 

> call (206) 464-2361 or e-mail websales@seattletimes.com 

> 

> TO ADVERTISE IN THE SEATTLE TIMES PRINT EDITION 

> Please go to http://seattletimes.nwsource.com/contactus/adsales 

> for information. 

> 

> - ....■ === = 

> For news updates throughout the day, visit http://www.seattletimes.com 

> = — — 

> 

> Copyright (c) 2007 The Seattle Times Company 

> 

> www.seattletimes.com 


Here is the full article. 

Friday, June 8, 2007 

Bomb threat at high school downplayed by 
local police department. 

The Associated Press 

LACEY Wash. — Technology savvy student holds Timberline High School hostage. The suspect is still 

unknown after several bomb threats and 5 days of school evacuations. Anonymous bomb threats to high 

schools are a growing trend in rural America. 


2 


sissftfjT 

](OTD) (FBI) 


From: 

Sent: 

To: 

Cc: 


Subject: 


](SE) (FBI) 


Tuesday. June 12. 2007 1 :28 AM 


be 

b7C 


a OGC) (FBI); 
(FBI ); [ ^ 


(FBI) l (SE)(FBI)| 

' J (SE)(FBi) 

CIPAV Affidavit - Seattle Division 


l(OTD) (FBI) 
l(SE)(OGA);| 


JSE) (FBI);[ 


1(SE) 


UNCLASSIFIED 

NON-RECORD 



Revised Affidavit 
for j 


sa( 

JEfi 




(Fax) r 
(Nextehl 


b6 

b7C 

b2 


UNCLASSIFIED 


DATE: Q2-24-2QQ9 

CLASSIFIED BY 6G322UC/LP/STP/gjg 

REASON: 1.4 (C) 

DECLASSIFY ON: 02-24-2034 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 




(OTP) (FBI) 


From: 

Sent: 

To: 

|(OGC) (FBI) 
Tuesday. June 12. 2007 1 1 :06 am 

KSE) (FBI):! 

l(OTD) (FBI) 

b6 

b7C 

Cc; 

I(SETTFBI>;| 

SSE) (OGA)i 

l(SE)| 


(Fl KSEWfBI);| 

kSE) (FBI)i 


Subject; 

(OGC) (FBI) 

RE: CIPAV Affidavit - Seattle Division 




UNCLASSIFIED 

w5n-recOrd~ 


Here are my comments on my legal review of the application for a search warrant in this case. This application is much 
better than the previous version, and there are only a few issues that I believe need to be addressed or clarified. 

Not a legal point, but check your formatting in para 1 1. The way the document printed on my computer there were some 
problems. 



<S) 

bl 


In f. (probably should be b.) , Remove the brackets from around Virginia, and yo u need to add language that makes it clear 
that the information you are saying may be collected will l b nd that after that it will only be collecting 

addressing, routing, etc. (the stuff covered by a pen register, trap and trace). 

and he has no technical issues that need addressing. Let me know 


That’s all that I have. I have spoken with[ 
how we can be of further help. 


Assistant General Counsel 
Scienc e and Technolog y Law Unit 
Phone: ! I 

Secu re phone: 

Fax: ] 


b2 

b6 

b7C 


ISE) (FBI) 


— Original Message — 

From: I " 

Sent: Tuesday, June 12, 20 07 1:28 AM 

To: 

Cc: 


DATE: 02-09-2009 

CLASSIFIED BY 60322UC/LP/STP/gjg 

REASON: 1.4 £C) 

DECLASSIFY ON: 02-09-2034 


b6 

b7C 




gOGC) ( FBI);! 


(FBI); ! 


|SE) (FBI)£ 


i OTD) (FBI) 

SE) (QGA);EZI 

KSE) (FBI) 


](SE) (FBI);[ 


](SE) (FBI); 


Subject: CIPAV Affidavit - Seattle Division 

unclX >ified 





ALL INFORMATION CONTAINED. 
HEREIN IS UNCLASSIFIED EXCEPT 
TiIHERE SH0UN OTHERWISE 




« File: Revised Affidavit for 

CIPAV.wpd » 


3 ) 






FBI Seattle 





1 (° TP > m 


From: 

Sent: 

To: 

Subject: 


Monday. June 11. 2Q0 7 3:38 PM 

|OGC) (FBI) 


FW: 288A-SE-93709 


KOTD) (FBI) 

% 


:b6 

b7C 



UN 


NON-RECORD 


FYI. 


SSA[ 


Operational Technology Division 
Digital Evidence Section 
Cryptologic and Electronic Analysis Unit 
.Soflwaiift-DfiVfilopment Group 
(desk) 

(ceil) 

(fax-unclass) 


b6 

b7C 

b2 


— Original Message 

From: 

Sent: 

To: 

Cc: 

Subject: 


](OTD) (FBI) 


Friday. June Q8» 2QQ7 Z:Q4 pm 

](SE) (FBI) 


RE: 288A-SE-93709 


](OTD) (FBI) 


uSceassieiEd 

NON-RECORD 



DATE: 10-16-2008 

CLASSIFIED BY 60322UC/LP/STP/gj g 
PEA SON: 1.4 (C) 

DECLASSIFY ON: 10-16-2033 


ALt INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOOT OTHERWISE 



4 


I cannot stress enough the importance of telling the Judge that the tool will stay persistent on the compromised 
* computer and that ever time the computer connects to the Internet, we will capture the information associated with the 
PRTT. 

I have also attached four documents. The WordPad document ) [ contains the information that will 

be returned via the Search Warrant and the PRTT. The other three documents are ponies of an application for a mobile 
tracking order, a mobile tracking/PRTT order, and the affidavit supporting the two that ST. Louis drafted for a similar type 
order. 

Please contact me at the below listed numbers if you have any questions. 

Sincerely, 







I l(OTD) (FBI) 


From: 

Sent: 

To: 

' 

(SE) (FBI) 

Mondav. June'11. 2Q()7 10:49 AM 

l(OTD) (FBI) 


:b6 

b7C 

Cc: 

| 

kSE) (OGA); 

(SE) (FB!);| 

i 


(SE) (FBI) 


Subject: C1PAV Affidavit 


UNCLASSIFIED 

NON-RECORD 



AFFIDAVlCZZIIl 
SFORCIPAV.Wpd (... 


|- AUSA's secretary is cleaning up margins as her version of WP was different at her r esidence . Content will 
obviously be the same. Hoping to get it signed this morning. Thanks again for all your help, ! ~I 


AUSA is Katheryn Warmaf 


if DO J attorney has questions for her. 


SA 

1 

FB 

Seattle 



(Fax) , 

fNexteh 1 

1 1 


b6 

b7C 

b2 


UNCLASSIFIED 


ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 03-09-2009 BY 60322UC/LP/STP/gj g 


1 




be 

hie 


* 





From: 

Sent: 

To: 

Cc: 

Subject: 


|(OTD) (FBI) 

Friday. June 08. 2007 10:5ji AM 


C1PAV and Local Info 


,OTD) (FBI) 

|(OTD) (FBI) 


DATE: 02-09-2009 

CLASSIFIED BY 60322UC/LP/STP/gj g 
REASON: 1.4 (C) 

DECLASSIFY ON: 02-09-2034 


SENSITIVE BUT U NC 
NON-RECORD 


CLfr^SI 


SIFIED 


ALL INF0RHATI0N C OBTAINED 
HEPEIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 


I | we basically have 3 tools to locate a computer. Basic IPAV, Local Info and Local Info with 
Getter. b6 

b7C 

Give me a call if you have any questions. 



Computer internet Protocol Address Verifier (CIPAV) 










(Rev. 01-31-2003) 



FEDERAL BUREAU OF INVESTIGATION 


Precedence: PRIORITY 

To: Cyber 

International Operations 
Rome 

Operational Technology 


Date: 06/07/2007 

Attn: SSA I 

C3IU-2 


Attn: UC I ~| 

Europe Unit 


Attn: Legat 


ALAT 


Attn : CEAU 


UC 

1 

ssa 



From: Seattle 

Squad 11 - Cyber 
Contact: Detective [ 

SA | 


Approved By: 
Drafted By: 


:nbs 


Case ID U: 288A-SE-NEW (Pending) 


Title: UNSUB (S); 

TIMBERLINE SCHOOL DISTRICT (VICTIM) ; 
COMPUTER INTRUSION - INTERNET EXTORTION 


Synopsis: Request to open captioned investigation. 

Administrative: Reference the following communications: 

06/07/2007 telcal between Detective | 

Seattle Division Cyber Task Force, and ROME ALAT | 


06/07/2007 telc al between SA F I , 

Seattle Division, and SSA l l CACU. 

Details: On 06/06/2007, Seattle Division was contacted by Lacey 

Police Department (LPD) , Lacey, WA, regarding numerous bomb 
threats and DDOS attacks received at the Timberline School 
District, Lacey, WA. Below are a time-line of events: 

05/30/2007 - Timberline High School evacuation due to 
hand written bomb threat note. 



DATE: 10-16-2008 

CLASSIFIED BY 60322UCj'LP/STP/g5g 

REASON: 1.4 (CJ 

DECLASSIFY ON: 10-16-2033 

ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 


b6 

b7C 


be 

b7C 


be 

b7C 






> 


To : 
Re : 



Cyber From: Seattle 

288A-SE-NEW, 06/07/2007 


06/04/2007 - Timber l ine High School evacu ation due to 


bomb threat email from sender: 


UNSUB (s) also 


advised a computer attack will hit the Lacey School District, 
which resulted in a DDOS attack totaling over 80,000,000 hits. bg 

b7C 

06/05/2007 - Timberline High School evacuation due to 
bomb threat email from sender: 


06/06/2007 - Timberl ine High School evacuatio n due to 
bomb threat email from sender: | 


06/07/2007 - Timberline High School received additional 
email from UNSUB (s) . Details unknown at present time. 


LPD and the Washington State Patrol (WSP) continue to 
perform school evacuations and bomb sweeps with negative results. 
Parents and school district employees have informed local 
television stations and newspapers, which aired the story on June 
6, 2007. LPD has requested investigative assistance from the 
Northwest Cyber Crime Task Force. 


LPD has conducted numero us thorough inte r views of a 
student at Timberline High School, | ~| . I ~| 

appear s not to be the subject responsible for bomb threats. be 

| and teachers from Timberline High School provided a list b7c 
of other student s who may be responsible for the threats and DDOS 
attack . I ~1 receive d a text me ssage from I I 

| DOB I I FBI Nu mber 1 ~l on 06/03/2007, 

advising "Keep your head up." I I is described by teachers as 

a self proclaimed computer hacker t hat routin ely bypasses the 
school computer security measures. I I computer is in LPD 

custody and forensic results are pending. Initial interview of 
| provided negative results. 



On 06/07/200 7, Detective | 1 WSP, and SA 

1 I , Seattle Division, contacted AUSA Katheryn 

Warma, Western District of Washington, who agreed to prosecute 
captioned matter. 


bl 


be 

b7C 


2 




mm 

To: Cyber From: Seattle 

Re: 288A-SE-NEW, 06/07/2007 



3 



To: Cyber From: Seattle 

Re: 288A-SE-NEW, 06/07/2007 

LEAD(s) : 

Set Lead 1 : (Info) 

CYBER 

AT WASHINGTON. DC 
For information. 

Set Lead 2: (Info) 

INTERNATIONAL OPERATIONS 
AT WASHINGTON. DC 
For information. 

Set Lead 3: (Action) 

ROME 

AT ROME . ITALY 


Set Lead 4: (Info) 

OPERATIONAL TECHNOLOGY 
AT ODANTICO. VA 


For information. 




From: 

Sent: 

To: 

Cc: 

Subject: 


](°TD) (FBI) 

l (SE) (FBI) 

Thursday. June 07. 2007 5:12 PM 

moth ) (FBI) 

fc SE) (OGA) 

288A-SE-93709 


b6 

hlC 


UNCLASSIFIED 

NON-RECORD 



158nbs01.ec (16 



b6 

b7C 

b2 


sa[ 

-£B 


USER? 


(Fax) 

(NextelM 


UNCLASSIFIED 


DATE: 02-24-2009 

CLASSIFIED BY 60322UC/iP/STP/gj g 
REASON: 1.4 (C) 

DECLASSIFY ON: 02-24-2034 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
NKERE SHOOT OTHERWISE 






lot D) [FBI) 


From: 

Sent: 

To: 

Cc: 

Subject: 


Thursday May 31 


](OTD) (FBI) 


2007 12:52 PM 
(NY) (FBI) 


CIPAV request 


KOTD) (FBI);[ 


b6 

b7C 


](OTD) (FBI) 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


Hi J 1 As promised, here's a copy of the OTD STE policy, including the LEGAT and OPS Plan ECs mentioned in the 
policy: 



STE Policy. WPD (52 Legat EC.wpd (17 OPERATIONS 
KB) KB) PLAN.wpd (8 KB) 

Read this guidance in context. A tot of it is written for overseas deployment of physical equipment and personnel at the 
request of the foreign government. Disregard those entries that don’t make sense to your situation. 

I ” l asked that you cover the following in your request: Summary of the case, details of the target and his/her equipment 
(as much as you know, such as OS, network topology, IP address(es), MACs, Internet connection type, security 
hardware/software, technical sophistication), legal authority and means of constraining to intended target, and what it is 
you want from our support (not the technical wants, but what you expect to get from this collection). 


Contrary to what I told you, please address the EC to the CEAU Chief, SSA 
Good talking with you! 


SENSITIVE BUT UNCLASSIFIED 


ALL INFORMATION CONTAINED 

HEREIN 15 UNCLASSIFIED 

DATE 09-30-2008 BY 60322UC7LJ/STP/gjg 


1 


s 


SECRET // NOFORM // ORCON // 20320621 

OPERATIONAL TECHNOLOGY DIVISION (OTD) 

SIGNIFICANT MONTHLY ACCOMPLISHMENTS 

May 24 - June 21, 2007 

Electronic Surveillance Technology Section 


The Cryptologic and Electronic Analysis Unit ( CEAUi reports the following: 
(S//NOFORN//ORCON) FIELD SUPPORT: 


(S) 



hi 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOT® OTHERWISE 



I 


DATE; 09-30-2008 
CLASSIFIED BY 6Q322UC/LP/STP./gjg 
FEAS0N: 1.4 (C) 

DECLASSIFY ON: 09-30-2033 

SECRET // NOFORN // ORCON // 20320621 



i 


i 



SECRET // NOFORN // ORCON // 20320621 


(SJ 


(U/FOUO) 288E-SE-93709. On June 14, 2007, CEAU's SDG, in conjunction with the 
Seattle Field Office, deployed a Computer Internet Protocol Address Verifier (CIPAV) to 
assist with the geophysical locating of a subject whom had issued numerous bomb threats 
and launched a Directed-Denial-of-Service (DDOS) attack against a local high school. 
The CIPAV provided information leading to the identity and arrest of a 15 year old male 
student from the victim high school who was taken into custody without incident at his 
home at approximately 2 A.M. this date. The minor confessed to issuing the bomb 
threats. Bomb threats dated this date were found on the minor’s computer. The minor's 
computer equipment was seized and the arrest was made without incident. Following an 
interview with the minor, the Lacey Washington Police Department (LPD) was able to 
clear another threat case, as the minor confessed to issuing telephone death threats to 
teachers and others, including his parents, earlier this year. 


(S) 


(U//FOUO) HEADQUARTERS SUPPORT: 

• (U//FOUO) On Friday, June 1, 2007, two (2) members of CEAU traveled to LX1 and 
answered technical questions during a FISA renewal board. This was necessary to 



I 


SECRET // NOFORN // ORCON // 20320621 




SECRET // NOFORN // ORCON // 20320621 


successfully renew a CTD FISA requesting Hybrid Search and Surveillance authority. 
OGC expressed their appreciation for this effort. 


(S//NORFORN) LIAISON: 


(S) 



bl 


(U//FOUO) June 12, 2007: In response to a request by the Digital Ev idence Section 
(DES)/Forensic Audio/Video Image Analysi s Unit (FAVIAU), a tour of 

was given t< j 


to 2 
b7E 


personnel wno nave an interest in Personal Digital Assistant (PDA) passwords and 
defeats. 


€ 


(U//FOUO) TRAINING CONDUCTED: 

* (U//FOUO) June 6, 2007: CEAU’s STEG Manager, SSA | 

presented -'FBI cell phone forensics" to New Jersey prosecutors and investigators at the 
New Jersey Regional Computer Forensic Laboratory, Hamilton, New Jersey. 


b6 

b7C 



SECRET // NOFORN // ORCON // 20320621 


3 





SECRET // NOFORN // ORCON // 20320621 


• (U//FOUO) J une 8, 2007: CEAU's Software Development Group Manager, SSA 

delivered a presentation to the Online Undercover Course attendees at the 
Baltimore Field Office's Calverton Resident Agency in Calverton, MD. Topics addressed k6 
were cryptography, remote access search and surveillance, an d the Voicechaneer dev ice. 

• (U//FOUO) June 13, 2007: CEAU's STEG Manager, SS Al 

presented an hour block on encryption and the Voicechanger device to the Innocent 
Images National Initiative (UNI) Basic Course in Calverton, MD. 

(U//FOUO) OTHER SUPPORT: 

• (U//FOUO) Terrorist Explosive Device Analytical Center (TEDAC)/Joint Improvised 
Explosive Devices Defeat Organization (JIEDDO) requested a technical opinion on 

b2 

b7E 



SECRET // NOFORN // ORCON // 20320621 


4 





SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 



Jki 


Information Technology Specialist 
Operational Technology Division 
Office -j 

Mobile 

Pager « 


be 

hlC 

b 2 


— Original Message 

From: 

Sent: 

To: 

Cc: 

Subject: 


E 


](OTD) (FBI) 


Wednesday, May 31, 2006 9:23 AM 
rOTPK FBn 


lOTD) (FBI); [ 


FW: QPAV Anthrax threat to cruiseliner. 


SENSITIVE BUT UNCtASStiHED 
NON-RECORD 


](OTD) (FBI) 


he 

b7C 


Please coordinate with[ 


]on this... we want to maximize our chances on this CIPAV. The warrants arent signed yet, 


but please prepare the message accordingly. DO NOT DEPLOY or give to the case agent until we have an approved 
warrant. (Pardon if I state the obvious). 


](MM) (FBI) 


— Original Message — 

From: \ 

Sent: Tuesday. Mav 30. 200 6 3:34 PM 

To: 

Subject: 


b7C 


CIPAV 


J(OTO) (FBI) 
](MM) (FBI) 


SENSITIVE BUT UNCtASSlFlgp 
NON-RECORD 


DATE: 02-12-2009 

CLASSIFIED BY 60322UC/LP/STP/gj g b6 
REASON; 1.4 (C) 

DECLASSIFY ON: 02-12-2034 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 


<S> 


Here is the affidavit and warrant. Could we send anthra 


k 


bl 


message saving 


b2 

b7 










To: 

Subject: 



RE: EC Directing end to CiPAV operations 


SENSITIVE BUT UN 
NON-RECORD 




Thanks for the EC.(~ ~ 

p t not, could you get and provide that into to me as soon as feasible. 


b2 

b?A 


Thanks, 


ss4 


Operational Technology Division 
Digital Evidence Section 
Cryptologic and Electronic Analysis Unit 
Software Development Group 
(desk) 

(ceil) 

(fax-unciass) 


b6 

b7C 

b2 



This is an update on 

been approved. |_^ __ 

« File: EC ending web bug operations » 



This EC has not yet 


sa[ 


Desk 

Nextel 

Direct connect 


DATE; 02-09-2009 

CLASSIFIED BY 60322UC/LP/STP/gj g 

bo 

b7C 

b2 


fext Messages 

REASON: 1.4 (C) 

DECLASSIFY ON: 02-09-2034 



SENSITIVE BUT 


UkCLA^S 


SIFIED 


SENSITIVE BUT UN 



ALL INFORMATION CONTAINED 
HEREIN 13 UNCLASSIFIED EXCEPT 
WHERE SHOOT OTHERWISE 



Status: 

Percent Complete: 
Date Completed: 

Total Work: 

Actual Work: 

Owner: 


CIPAv 

Thursday, March 08, 2007 
Thursday, March 08, 2007 

Completed 
1 00% 

Monday, March 26, 2007 

0 hours 
0 hours 


b6 

b7C 



(OTD) (FBI) 


Soke witfl H He advised that they have a case in which l b7E 

L Would like to depoloy a CIPAV to geophysically locate the subjects. Will 
forward EC setting lead for CEAU's assistance. In addition, he is currently working on the SW. He is using the Cl SW as a 
ponie. 


From: 

Sent: 

To: 

Cc: 

Subject: 


kOTD) (FBI) 
Tuesday. March 06. 2007 1 1 :39 AM 

IJ(TP) (FBI) 

T otD) (FBI);|_ 

CIPAv 


b6 

blC 


(OTD) (FBI) 


Follow Up Flag: Follow up 

Due By: Thursday, March .08, 2007 1:30 PM 

Flag Status: Flagged 

UNCLASSIFIED 

NON-RECORD 


Good to hear from you ! I appreciate the TELCAL and your interest in the CIPAV. 

I am forwarding your request to j P rogram Manage r of the Software Development Group. They are the team 

that does the CIPAV. His telephone number is| I b6 

hie 

Hope you are doing well! b2 


Can you please call 


SSA| 

Secure Technologies Exploitation 
Cryptologic and Electronic Analysis Unit 
Operational Technology Division 
Fnningfirino Res earch Facility 

voice 

STU III 

ax (non-secure) 
ax (secure) 


- he has some questions on the CIPAV--his telephone number is 


b6 

b7C 

b2 


UNCLASSIFIED 


ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 09-30-2008 BY 6Q322UC/LP/STP/gj g 


1 



(OTP) (FBI) 


From: 

Sent: 

To: 

Cc: 

Subjectt: 


k OTDXFBl) 

Friday. March 23. 2007 2:48 PM 

ICI) (FBI) 

K OTD) (FBI) 

Removal of data from CEAU IPAV Regarding Case! 


b2 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


b6 

b7C 

Removal of data from CEAU IPAV Regarding Case k2 

I our records indicate that were are no longer actively collecting data for your case. 

Please download and save all data regarding your case from the CEAU IPAV server by June 23 2007. Once we have 
received confirmation that you have downloaded the data it will be deleted from CEAU computers and servers. This allows 
us to free up additional server capacity to support other matters. 

If you need more time to download the information we would be happy to accommodate you. Please contact me regarding 
the disposition of the data and the computers, ■ 



SENSITIVE BUT UNCLASSIFIED 


ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 10-16-2008 BY 60322UC/LP/STP/gj g 


l 



From: 

Sent: 

To: 

Cc: 

Subject: 


□(OTD)(FBI) 

007 10:09 AM 
J(TP) (FBI) 

[OTD) (FBI) 

J- Computer Tracer 


SENSITIVE BUT UNCI 
RECORD! “ 


just to confirm. 


I'm sure you notice the activity last night. Their was no new data given. 


will have 



set up a log in for you to download the IP logs from the last few days. 


I am not sure what else we can do to help. 

If you have any questions please feel free to contact me. 


Information Technology Specialist 
Operati onal Technology Division 
Office - 
Mobile 
Pager - 


— Original Message 

From: I \ OV) (FBI) 

Sent: Thursday, March 22, 2007 3:07 PM 

To: I t OTDXFBI) 

Subject: RE J 1 Co mputer T racer 

SENSITIVE BUT JNCgttSSlHEPr ^ 
RECORD I ' — - 


I \ 

No pages, so I’m assuming no activity. Could we get the Ips that have hit it so far? 
Thanks, 


Tampa Cyber 

— O riginal Message 

From: I l (OTD)(FBI) 

Sent: Wednesday, March 2 1, 2007 1:28 PM 

To: I T IPI (FBI) 

Cc: | 1(OTD) (FBI); ! 

SubjectT | P Computer Tracer 

SENSITIVE BUT 

record! ^ 


DATE: 02-24-2009 

CLASSIFIED BY 60322UC/LP/STP/gjg 

REASON: 1.4 (C) 

DECLASSIFY ON: 02-24-2034 

[OTD) (FBI) 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
OTERE SHOOT OTHERWISE 




b6 

blC 


s|CfiCT 



1 1 just wanted to document the steps we have taken in the last few days. 

Friday 16 March - Tampa field office contacted CEAU requesting assistance on locating a computer being used 










As per our telcal, here's the wire receipt for the CIPAV. Thanks again for your assistance! hi c 



Tampa Cyber 

« File: Transfer Receipt.doc » 



i 





I(OTD) (FBI) 

-1£, 2007 10:04 AM 
l(OGC) (FBI) 
fequest 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


b6 

■b7C 

b2 


Can you please review the attached affidavit and let me know what the contemplated court ordered authorizations 
are present. TP wants to submit this for signature this aftenoon. That would put us on the clock for providing a solution no 
later then Sunday, March 25th. Let me know your findings as soon as possible so that I can respond to the FO. 

Thanks, 


Operational Technology Division 
Digital Evidence Section 
Cryptologic and Electronic Analysis Unit 
Software Develo pment Group 
(desk) 

(cell) 

(fax-unclass) 


— Original Message — 

From: l~ "| (TP) (FBI) 

Sent: Thursday. March 1 5, 2007 4:02 PM 

To; I(OTD) (FBI) , 

Cc: f IT P) (FBl)f_ 

Subject: FW: CIPAV Request 


(CyD) (FBI) 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


b6 

| b7C 

Here's a draft of our search warrant affidavit to obtain the CIPAV. It's moving through our legal dept and AUSA's office. 
Let me know if you all have any technical changes. 

Thanks, 




cipav.wpd (89 KB) 


— Original Mt 

From: 

Sent; 

To: 

Cc: 

Subject: 




I CTP) (FBI) 

Thursday, March 08. 2007 3:22 PM 

I (OT P) (FBI) 

" P ~P) (FBI)J 

CIPAV Request 


>) (FBI); 


>) (FBI); 


^(FBI) 


ALL INFORKATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 09-24-2008 BY 60322UC/LP/STP/gj g 


1 





' SENSITIVE BUT UNCLASSIFIED 
NON -RECORD 



As per our telcal, here’s the request for the CIPAV for Tampa’s Group II UCO. I’ll send you a draft of the search warrant 
affidavit tomorrow. Please advise if you need any additional info. 

b6 

Thanks, b7c 


tampaCyber 



cipav. request, wpd 
(28 KB) 


SENSITIVE BUT UNCLASSIFIED 


SENSITIVE BUT UNCLASSIFIED 
SENSITIVE BUT UNCLASSIFIED 


(Rev. 01-31-2003) 


FEDERAL. BUREAU OF INVESTIGATION 


Precedence: PRIORITY 


Date: 03/08/2007 


To: Operational Technology 


Cyber 


From : Tampa 

Squad 8 
Contact: SA 


Approved By: 
Drafted By: 


[ 


Case ID #: 


Title: 


Attn: 


Cryptologic & Electronic 
Analysis Unit 


Attn: SSa[ 


b 6 
b7C 


CyD/CIS/C3lU-l, Room 


b6 

b7C 


:den 


(Pending) 


b2 

b7A 


Synopsis: Request the deployment of a Computer & IP Address 

Verifier (CIPAV) . 


Details: 


BACKGROUND 



b7A 


All INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 10-02-2009 BY 60322 UCLP/STP 







Tampa is currently drafting the search warrant 
necessary to obtain the requested CIPAV, which Tampa hopes to 
deploy on or around 03/15/2007. 



5 








To : 
Re : 


b2 


Operational Te chnology From: Tampa 

I 03/08/2007 


LEAD(s) : 

Set Lead 1: (Action) 

OPERATIONAL TECHNOLOGY 

AT OUANTICO. VIRGINIA 

The Cryptologic & Electronic Analysis Unit is requested 
to facilitate the deployment of a CIPAV to support captioned 
Group II UCO. 

Set Lead 2: (Info) 

CYBER 

AT WASHINGTON, D.C. 


For information, read and clear. 




(OTP) (FBI) 


From: 

Sent: 

To: 

Subject: 


I I fOTDXFBI) 

Thursday, March 0 8, 2007 4:35 EM , 

i |(OTD) (FBI); [ITD) (FBI) 

RE: CIPAV Request 


b6 

b7C 


SENSITIVE BUT UNtt^SSiFfED 
NON-RECORD "" 


Seems that since the UCE is in direct communication with the target, we may be abe to 
It would be helpful to know the e-mail provider for the target and UCE. 


hi 

( 3 ) 




Information Technology Specialist 
Qperat onal Technology Division 
Office • 

Mobile 

Pager 


b6 

b7C 

b2 


Original Message — 


From: 

Sent: 

To: 

Cc: 

Subject: 


ThursdaYi Mar 


JOTD) (FBI) 



I FW: um Request 


08, 2007 4:24 PM 
ljFB!) 


COTDXFBI) 


SENSITIVE BUT~UhJCfcASSlFiED 
NON-RECORD ^ 


Gentlemen, 


Here Is the EC regarding the Tampa case. Let me know your thoughts. 


SSA I I 

Operational Technology Division 
Digital Evidence Section 
Cryptologic and Electronic Analysis Unit 
Software Develo pment Group 

.desk) 

(cell) 

(fax-unclass) 


— Original Message — 

From: f I (TP) (FBI) 

Sent: Thursday, March 0 8, 2007 3:22 PM 

To: I IfOTOHFBn 

Cc: I [ (TP) (FBI);Q 

Subject: CIPAV Request 

SENSITIVE BUT UNCt^StFIED 

non-recorcT ^ ^ ’ 



DATE: 02-24-2009 

CLASSIFIED BY 60322UC/LP/STP/gjg 
PEAS OH: 1.4 (C) 

DECLASSIFY OH: 02-24-2034 

K TP) (FBI) JIZ tT P) (FBI) 


ALL IHFOPHATIOH COFTAIHED 
HEREIH IS UHCLASSIFIED EXCEPT 
TJHERE SHOOT OTHERWISE 


b6 

b7C 

b2 


]CTP)(FBI) 


1 







As per our telcal, here's the request for the CIPAV for Tampa's Group II UCO. I'll send you a draft of the search 
warrant affidavit tomorrow. Please advise if you need any additional info. b6 

b7C 

Thanks, 



2 


From: 

Sent: 

To: 

Subject: 


— J (OTD)(FBI) 

Friday, March 02. 2 007 10:54 AM 

| (OTD) (FBI) 

FW: RMS Request 0000000001 1 5736 aged of at least 60 days. 


UNCLASSIFIED 

NON-RECORD 


can you please clear this from RMS? 


Thanks 
J. . 


Information Technology Specialist 
Operati onal Technology Division 
Office - 
Mobile - 
Pager - 


b2 

b7E 

b6 

b7C 


Original Message ^ 

From: Request Managment System [mailto:| P 

Sent: Friday, March 02, 2007 10:39 AM 

To: 

Subject: RMS Request 000000000115736 aged of at least .60 days. 


RMS Request 000000000115736 aged of at least 60 days. 


Division (Required) 
Program (Required) 
Unit (Required) 

Item (Required) 
Classification 
Requested Support 


OTD 

Computer Exploitation 
CEAU 

Remote Computer Search/Surveillance 

Per previous telephone conversations between SA 


St Louis Division is requesting that CEAU install CIPAV devices in 


112 

2000104 

536870924 


1014; 3730; 



UNCLASSIFIED 


ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 12-23-2008 BY 60322UC/LP/STP/gj g 


l 





(OTP) (FBI) 


From: 

Sent: 

To: 

Subject: 


j (OTD)(FBI) 

Friday. March 0?. 9 007 10:54 AM 
|{OTD) (FBI) 

FW: RMS Request 0000000001 16159 aged of at least 60 days. 




15oN“RECO£D 


:b6 

b7C 


can you please clear this from RMS? 


Thanks 
J. . 


"Information Technology Specialist 
Operati onal Technology Division 
Office ■ 

Mobile - 
Pager - 


Original Message 

From; Request Managment System [mailto; 
: Friday, March 02, 2007 10:39 AM 


ect: RMS Request 000000000116159 aged of at least 60 days. 


To: 

Sub' 


b6 

b7C 


RMS Request 000000000116159 aged of at least 60 days. 



DATE: 02-09-2009 

CLASSIFIED BY 60322UC/LP/STP/gjg 

REASON: 1.4 (C) 

DECLASSIFY ON: 02-09-2034 

ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 





b7E 


UNCLASSIFIED 

NON-RECORD 


An additional document for the conference all is posted below {at the bottom). 



UNCLASSIFIED 

NON-RECORD 


Here it is. 



UNCLASSIFIED 

NON-RECORD 


be 

b7C 


b2 

b7E 


B The lead i^ |. It’s in your lead box now. Attached is } | 302. I'm routing 

iginal 302 to you, so you can package it up witn your final product for Cl. 

□ Our investigation takes us to Evansville RA. I've reassigned the lead. 



060dd0 1.302 (12 
KB) 


UNCLASSIFIED 


ALL INFORMATION CONTAINED 

HEREIN 13 UNCLASSIFIED 

DATE 09-24-2008 BY 60322UC>LP/STP/g}g 






From: 

Sent: 

To: 


Subject: 


(OTP) (FBI) 

1 (Cl) (FBI) 


Erida y , March 0 ? 70 07 8:29 AM 


1 JfnsvFnnl Inst /friyI 

Jiv 

1 WlTl^Tj 

1 wiKa-ji] rtwiTi: 


ssaisiffi! W ith A =IK 1 

(CyD) (FB 

H mum wmm 

L 

(OTD) (FBI)| KCI) (FSI);| | 

WMI 


jm — 

RE: Web Bug Analysis Conference Call 


Importance: High 


UNCLASSIFIED 
NON -RECORD 



daytonbeac report 
.doc (190 KB)... 



I I 038mpe01.ec.wpd 

Analysis (14 KB) (27 KB) 

Dear Conference Cali Participants, 

Here are some documents for your review before we begin the conference call. Conference call information is posted 
below. 


SAl 

Desk 

Nextel 

Direct connect 




b6 

b7C 

b2 


— Original Message — 

From: I 

Sent: ,T iirsdflv Mnrr 

To: 


](IR)(FBI) 


pi, 2007 6:04 PM 
(Cl) (FBI)I 


tCI) (FBI) 


— j(CyD) (FBI] 
JOTO) (FBI)l 


Sr 


Subject: RE: Web Bug Analysis Conference Cali 

Importance: Hig 


IQSXF, 


foSs 


Jn v r H T V. m; ; i w i i a oq 

SO) (FBI) J 


los) (rei)lHj 

rM U|)rFHTvl 


(OTD) (FBI) 



Cl) (FBI); 
CyD) (FBI); 


(Cl) (FBI); 


UNCLASSIFIED 

NON-RECORD 


b6 

b7C 


sa I I 


Your call was sche duled as req uested. To access the conference system, dial[ 
enter your pin code ] 


]when prompted, 


Your parties may begin dialing in as early as 9:45 AM (EST) on 3/2/07. 


1 

ALL INFORMATION CONTAINED 

HEREIN- IS UNCLASSIFIED 

DATE 09-24-2008 BY 6Q322UC/LP/5TP/gj g 




If you have any questions, please call SIOC at 


or e-mail SIOC at HQ_DIV13_SIOC. 


EASI 

SIOC 


b6 

b7C 

b2 


— Ori ginal Message 

From: | 1 (0) (FBI) 

sent; fursdav.Marc Ql,2flt>7 5:48 P 
To: I tOSHFBn: 




CjkCyD)(FB 
(OTD) (FBI) 


1 




Subject: Web Bug Analysis Conference Call 

Importance: Hig 


iwwrsim 


|[0S) f FBI) j 

3 KMW) CF^nl 

igyren: w twh siocF 

(Cl) (FBI);| k< 


laiifBI); 


J[OTD) (FBI) 


JCyD)(FBnj 
I (H) (FBI);[_ 


be 

b7C 



UNCLASSIFIED 

NON-RECORD 


Dear SIOC, 


nference call for 12 participants tommorow (3/2/2007) at 10:00 a.m. EST. The 
(see below). The purpose of the conference call is to discuss with STAU analysis 
of web bug data. Please respond to all with the conference number and PIN. 


Cincinnati req uests a cc 
Point of Contact is SA 


Best wishes, 



[Desk 
N ext el 

Direct connect 


be 

b7C 

b2 


UNCLASSIFIED 


UNCLASSIFIED 


UNCLASSIFIED 








](OTD) (FBI) 


From: 

Sent: 

To: 

Subject: 


fa (FBI) 

Monday. February 26. 2007 4:13 PM 
______J(OTD) (FBI) 

RE: EC Directing end to CIPAV operations 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


Dea j 

l*m working on that issue. 
Thanks, 

Sfii I 

Desk 

Nextel 

Direct connect 


b6 

b7C 

b2 


— Original Message — 

From: I I fOTD) (FBI) 

Sent: Monday. February 26, 2007 10:21 AM 

To: I t CI) (FBI) 

Subject: RE: EC Directing end to CIPAV operations 

SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


Thanks for the EC. By the way, were you able to gather the info from the bank concerning which accounts were 
actually hit by the subjects? If not, could you get and provide that info to me as soon as feasible. 

:b6 


Thanks, 


SSA[ 


Operational Technology Division 
Digital Evidence Section 
Cryptologic and Electronic Analysis Unit 
Software Develp oment Group 
[desk). 

[cell) 

[fax-unclass) 


DATE: P2-09-2009 

CLASSIFIED BY 60322UC/LP/STP/gjg 
REASON: 1.4 (C) 

DECLASSIFY ON: 02-09-2034 


— Ori ginal Message — 

From: I ~ ~l (cmFBI) 

Sent: Friday, February 23, 2007 2:55 PM 

To: i irrjffl (FBI); 


(FBI) J 

|~"KyP) (FBI):! 


~G) (FBI); I 
l(CyP) (F Biyf 






1(QTD) fFBn: I 


'(siltitiW 


l(OTp) (FB1)J~~ 
ken (f_bi)T 


kl) (FBI );[ 


(Q)(fb!) T~ 

Subject: EC Directing end to QPAV operations 


lO) (FBI) 


J(CyD) (FBI);[ 


lCyD)(FBijI 

I qKHFBnf 

|(CyD)(FBlV:[ 


b7C 

b2 


fa) (FBI): 


li 


pHFSijl 




3 


ALL INFOPI^TION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE shown otherwise 





« File: EC ending web bug operations » 






2 




(Rev. 01 -3 1-2003) 


DATE: 10-02-2009 ALL INFORMATION CONTAINED 

OCppry CLASSIFIED BY 60322 UC LP/STP HEREIN IS UNCLASSIFIED EXCEPT 

REASON: 1.4 (c) WHERE SHOWN OTHERWISE 

DECLASSIFY ON: 10-02-2034 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 02/23/2007 


Cyber 

Attn: 

C3IU-2 





SSA 



OTD 

Attn: 

DES/CEAU 





UC 1 

L 

h2 

b7E 



SSAl 

1 

Chicago 

Attn: 


/ NRAl 

b6 



SA 1 


J b7C 



SA | 

1 



From: Cincinnati 

Squad 13 
Contact: SA [ 

Approved By : I 


Drafted By: 


]: jk 


Case ID #: [ 


( Pending) 


b6 

b7C 


Title: CIPAV OPERATIONS; 


I I b7A 

b2 

Synopsis: CIPAV operations have ended. 


Reference: 


Details: Cincinnati has employed a Computer and Internet Protocol 

Address Identifier ("CIPAV") to gather evidence concerning 


(S) 



hi 


All IHF0PitAT3§£g^gAfNED 

HEREIN 15 UNCLASSIFIED 

DATE 02-24-2009 BY 6Q322UC/LP/STP/gj g 









To : 
Re : 


SECRET 

Cyber From: 


Cin cinnati 

02/23/2007 




h2 


LEAD(s) : 

Set Lead 1: (Info) 

CYBER 

AT C3IU-2, DC 
Read and clear. 

Set Lead 2: (Action) 

OPERATIONAL TECHNOLOGY 
AT CEAU. VA 

End CIPAV operations in support of this case and send 
evidence to Cincinnati. 

Set Lead 3: (Action) 

CHICAGO b 

AT NRA1 

( S ) 

Discontinue support of undercover accounts associated 
with this case and send bill for services to Cincinnati. 

♦♦ 


3 


SECRET 
















b6 

b7C 





Hi Guys, 


(S) 


I hope everything is going weli with your investigation. WE've been looking at the CIPAV stuff today and I 
have the following report to add from recent activity. We're still looking at stuff and expect a second report 
maybe tomorrow morning, but we're trying to feed you info as fast as possible. ,t 






2 




















From: 

Sent: 

To: 


Subject: 






DATE; 02-24-2009 

CLASSIFIED BY 60322UC/LP/STP/gjg 
REASON: 1.4 (C) 

DECLASSIFY ON: 02-24-2034 


ALL INFOPHATIQN CONTAINED 
HEPEIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 



1 




From: 

Sent: 

To: 


Subject: 


SENSITIVE BUT U 
RECORD] 


K° TD > < FB| ) 


b6 

:b7c 


L □(Cl) (FBI) 

Wednesday. February 1 4, 2007 AM 

ICI) (FBI )J 


(JK) (FBI) 


OTP) (FBI)/ 




m (FBI)] 

jl IfQTDWFBIM ~ 






kiWFBOlZZ 

_2£^D) (FBI); 
[(CIHFBI)j 


](CyD) (FBI); 


iC^D 


, Jci) (FBiy 

JCIPAV update 


msumn 


JCI) (FBI); 



b7A 

b2 


ED 


[ 




The investigating Agent checked the log files for the CIPAV freinn nneratert pursuant tn a federal Sfiarrh warrant 
obtained nn 0?/1?/?p07. The previous update discussed log entries 

As of 8:03 a m this mnrninn 


c 




i t3 


iatewin.,1 Thn nnm nntrinn nnnuiyrvi. 


bl 

b2 

b7E 


SAI J 



Desk 

Nextel 

Direct connect 



b6 

b7C 

b2 


SENSITIVE BUT UNC 



DATE: 02-09-2009 

CLASSIFIED BY 60322UC/LP/STT7gj g 
REASON: 1.4 (C) 

DECLASSIFY ON: 02-09-2034 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
NHEFE SHOOT GTHEOTISE 





(OTP) (FBI) 


b6 

b7C 


: 


From: 

Sent: 

To: 


Subject: 


(Cl) (FBI) 


I 




Tuesday. February 13. 2007 2:55 PM 

OjL— — 


(JK) (FBI) 
(JK) (FBI) 


3CI) (FBI); 
JfOTDHFBr 


l£Jl(FBI);[ 


SENSITIVE BUT UNCLASSIF IED 
RECORDl / \ 


UN^tAS: 


lfQTDIfFBni 


l Si 


ItCyD) (FBI); 
UCIHFBh: 


fCvm 






JCyD) (FBI)[ 


wjijnsnn 


J(CI) (FBI); 


b2 

b7E 

b7A 


This is th J. i Dailv Update for February 13, 2007: 


On Friday, 02/09/2007, our CIPAV search warrant expired and monitoring was shut down. It was the opinion of 
our AUSA that a seemless renewal of the CIPAV w as not possible because search warrant execution periods can not be 
extended. On Monday. 02/12/2007, we learned that! 

I After learning this" I drafted a new affidavit. On the evening of 02/1 1 made return on the 

five previous search warrants, marking them unexecuted. I then obtained five new search warrants and provided faxed 
copies to CEAU/ERF. At 7:16 p.m. the CIPAV again became functional. 


is* 


Starting at 12:23 p.m. EDT on 02/1 3/2007 1 wa anain hanan tn nhsarva arthnh/F 


l.Xhifi.lima 


<S). 


I 


r 


2 


bl 
b2 
•b7E 


I I b7A 

I Analysis nf thp Inns inrlirataft I InciihfO am i jftinn 



<S) 


We are still looking at the logs to determine what we now know. At 2:46 p.m., I spoke with UC[ 



Expect another update tommorow. 
Sincerely, 



DATE: 02-24-2009 

CLASSIFIED BY 60322UC/LP/STP/gjg b6 
REASON: 1.4 (C) b7C 

DECLASSIFY ON: 02-24-2034 b2 


SENSITIVE BUT^jnQU(SS\F\ED 


1 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 




__]{OTD)(FBI) 

I, 2007 9:40 AM 
[OTD) (FBI) 
|(OTD)(CON);| 


lut down 


SENSITIVE BUT 
RECORD! 


Per your directions, as of 0935 on 9 Feb 2007 the case was closed 



Information Technology Specialist 

Operational Tp.chnnlnnv Division 

Office 

Mobile 

Pager 


— Original Message 

From: I I fOTP) (FBI) 

Sent: Friday, February 09 t 2007 :34 AM 

To: I l (OTD)(FBI) 

Subject: FW: Shut down QPAV 

Importance: High 

SENSIT1VF RUT llfinh4SB!Fjf D 
record! 


Read below and execute ASAP! 


Thanks, 


Operational Technology Division 
Digital Evidence Section 
Cryptologic and Electronic Analysis Unit 
Software Develo pment Group 
™|desk) 
cell) 

fax-unclass) 


— Original M< 

From: | 

Sent: H 

to! r 


(Cl) (FBI) 

09,2007 :0 7 AM 
~|QTDH FBI);| 
IHj(CyD) (FBI) 


Subject; Shut down QPAV 
Importance: High 

SENSITIVE BUT UNCfcftS 
RECORD! \ 


:CyD) (FBI); 


(CO (FBI); 


DATE: 02-09-2009 

CLASSIFIED BY 6Q322UC/LP/STP/gjg 

REASON: 1.4 (C) 

DECLASSIFY ON: 02-09-2034 . 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED. EXCEPT 
WHERE SHOOT OTHERWISE 









From: 

Sent: 

To: 

Subject: 




b6 

blZ 

b2 


b6 

b7C 

b2 

b7E 


•b2 




Best wishes, 



ALL INFORMATION CONTAINED 

HEREIN 13 UNCLASSIFIED 

DATE 09-24-2008 BY 60322UC/LP/STP/gj g 




SENSITIVE BUT UNCLASSIFIED 








From: 

Sent: 

To: 

Subject: 


\OTD) (FBI) 


](OTD)(FBI) 


J 


Friday. January 12 . 2007 3:10 PM 




(OTP ) (FBI) 


b6 

b7C 


b2 

b?E 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 



I have received the following RMS request. It looks similar to[ 


J)ut don't know if it is or not. 


Here is the RMS info. 


b2 

b7E 


Case is 315Q 


Rennesfpri Snnnnrt is:. 


Contactf 


be 

b7C 


SENSITIVE BUT UNCLASSIFIED 


DATE: 09-26-2008 

CLASSIFIED BY Q322UC/LP/STF/gj g 

REASON: 1.4 (C) 

DECLASSIFY ON: 09-26-2033 


ALL INFQFJMATIQN CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 






From: 

Sent: 

To: 

Cc: 

Subject: 


VOTDHFBIV 


k crrm {fbi) 

Fririav January 19 9007 12:36 PM 


TWl 


2Q 07 
-JSL)(FBI) 
kCTDI (FBI) 


■be 1 

b7C 


UNCLASSIFIED 

NON-RECORD 


b6 

b7C 



Review the below listed opinion. If possible, execute on as many of the suggestions as you can. If you think of any 
other steps you can take, excluding ones we hav e already discussed, implement them so that | | ^2 

~~l b7E 

Thanks, 


SSA[ 


Operational Technology Division 
Digital Evidence Section 
Cryptologic and Electronic Analysis Unit 
Software Develo pment Group 
Tdesk) 

Kcell) 

[fax-unclass) 



be 

blC 

'b2 


— Original Message 

From: 

Sent: 

To: J 

Cc: I 

Subject: RE: 


| (OGC) (FBI) 

Thursday, January 11, 2&07 5 :19 PM 


IfOGQ (FBI): I tOGCl (FBI) 

|(OTD)(FBI)J l(OGC) (FBI) 


UNCLASSIFIED 

NON-RECORD 


b6 

b7C 

b2 


Ccto 


PRIVILEGED DELIBERATIVE DOCUMENT - NOT FOR DISCLOSURE OUTSIDE THE FBI WITHOUT PRIOR OGC 
APPROVAL 


Associate General Counsel - Unit Chief 
Science & Technology Law Unit 
Engineering Research Facility 
Bldg 27958A, Room A-207 
Quantico, VA 22135 



— Original 

From: 




(OGC) (FBI) 


1 


ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 12-24-2008 BY 6Q322UC/LP/STP/gjg 





I 


Sent: 

Thursday, January 11. 2007 5:17 PM 

To: 

j 

(OGC) (FBI) 

Cc: 

r 

(QJD) fFBH 

Subject: 

1 



UNCLASSIFIED 

NON-RECORD 



Ultimately, these facts not only need to be document, but we will need to know wh 
precaution to proving that there was not a domestic tracking without a court order 


UNCLASSIFIED 


UNCLASSIFIED 


UNCLASSIFIED 








b6 

ihlC 


seBngC 

IkOTD) (FBI) 


From: 

Sent: 

To: 

Subject: 


Tuesday. January 


(OTD) (FBI) 

9, 2007 12:51 PM 

l« 


(CyO) (FBI) 

RErfechnical Question regarding the use of IPAV 



NON-RECORD 


Sorry for the dealyed response. To answer your question 


Original Message 

From: I 

Sent; 

To: 

Cc: 

Subject: 


1 (CyD) (FBI) 


Friday lamia™ fW r 2007 8:58 AM 

kOTD) 

l (CyP) (FBI) 


(FBI) 


Technical Question regarding the use of IPAV 


UNCLASatFtED 
NON -RECORD 


b6 

b7C 

b2 


bl 


(S) 


I have a question regarding possible countermeasures that could be used against the IPAV,[ 


(S) 

(S) 


b2 

b7E 


bl 


Thanks, 


Supervisory Special Agentf 


CA TU - Cyber Division (HQ) 

(w; 



”1 protect that which is most important " - Seraph 



DATE; 02-24-2009 

CLASSIFIED BY S0322UC/LP/STP/gj g 

PEAS ON: 1.4 (C) 

DECLASSIFY ON: 02-24-2034 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 




b6 

b7C 


| (OTD) (FBI) 

Friday. January 05 . 2007 7:58 AM 
1 (HO) (FBI) 

RE: 1NORMATION TO CEAU RE CIPAV REQUEST 



Not a problem. Glad we could help. Happy New Year!! 

— Original Message- — 

From: I | (H0) (FBI) 

Sent THnrerfav. lanuarv 04, 2007 5 : 36 PM 

To: I |OTD) (FBI) 

Subject: RE: INORMATION TO CEAU RE CIPAV REQUEST 


b6 

b7C 


SECRET 

RECORD 


'(S) 

Hope you had a good holidays. I just got back today and I want to apologize for the rush to get th e cipav 


request handled last week. I asked and was told the request would not be made until this week, t 
personnel and AUSA decided otherwise. Again, I apologize for the mix up. On the bright side,! 

I I Thanks for all your help. 


irenth 

b2 

b7E 

b7A 


— Ori ginal Message- 

From; | ~ 

Sent: Thursday, U 

To; I 
Cc: r 


|(OTD) (FBI) 
ber 21, 2 006 4:17 PM 
[HO) (FBDjT 

TOfbdI 


'OTPlfFBIl 


;HO) (OGA); 


(HO) (FBI) 


Subject: RE: INORMATION TO CEAU RE CIPAV REQUEST 

SECRET 

RECORr I 


be 

b7C 


I know that some of our requests are already in the process of being c ompleted. However, I just wanted to 
document the telephone conversation that my engineers and I had with | j in this email. Thus, per our 
telephone call, the attached word document contains the requested information that we discussed. 


« File: houstonquestions.doc » 
Thanks for the quick response, 


DATE: 09-26-2008 

CLASSIFIED BY 0322UC/LP/STP/gjg 

REASON: 1.4 (C) 

DECLASSIFY ON: 09-26-2033 


— Original Mess age — 

From: I 

Sent: Thurs 

To J I (01 

Cc J f fHQ 

Subject: INORI 

Importance: High 


SECRET 


|(HO) (FBI) 

Thursday, Dec ember 21, 2006 2:43 PM 

3 (OTD) (F BD1 I COTPlfFB!) 

(HO) (FBI) ! [ HO) (OGA) i I HO) (OGA); 

INORMATION TO CEAU RE QPAV REQUEST 
High 

ALL INFGRHATIDN CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 

W* T 1 


[HO) (FBI) 





( S ) RECORc) 


(S) 

(S) 


« File: E-mail. wpd » 

Attarherf i<L thp F-rr'ail n.hirh intonH trf 


Please call if you have any further questions. 


SA [ I 

Ho uston Squad CT- 5 

m 

(C) 


b6 

b7C 

b2 


bl 

b7A 

b2 

b7E 

be 

b?C 


DERIVEb'FROM: G-3 FBI Classification Guide G-3, dated 1/97, Foreign CountejMtelliaence 
Investigation^ 

DECLASSIFY QN>203 1 1 221 
SECRET 


DERIVED FROM: G-3 FBI ClassificatfeiyGuide G-3. dated 1^97, Foreign Counterintelligence Investigations 
DECLASSIFY ON: 20311221 
SECRET 

DERIVED FROM: G-3 FBI Classification Gtfide G-3. dated 1/9tM?oreian Counterintelligence Investigations 
DECLASSIFY ON: 20311221 " 

SECRET 


DERIVED FROM: G-3 FBf'Classification Guide G-3, dated 1/97, Foreign Counterintelligence investigations 
DECLASSIFY 0N72Q3T122T 
SECRET 


SBBNgC 



From: 

Sent: 

To: 

Subject: 



SENSITIVE BUT UNCLASSIFIED 
RECORD! I 


Dear SS 


b 2 

b6 

b7C 

b2 


I’ve enclosed a copy of our proposed CIPAV affidavit for use in the captioned matter. Please review and make any 
changes you feel necessary. When making changes, use the revision feature of WordPerfect so that changes can be 
automatically incorporated into the final document. 


Best wishes. 



Web Bug 

affidavit. wpd (57 KB 


SENSITIVE BUT UNCLASSIFIED 

{ 


ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 09-24-2008 BY 60322UC/LP/STP/gjg 



1 


l (OTD) (FBI) 

Thursday, December 21, 2 006 6:09 PM 

I (HO) (FBI) 

FW: PRfTY Example 


b 6 

b7C 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


Attached is a pony to used in constructing your order for the CIPAV. If you have any questions, please contact 


Thanks, 


— -Original Messa ge — 

From: I ~1 (0GQ (FBI) 

Sent: Wednesday, Dece mber 20, 2006 9:51 AM 

To: I I f OTP) (FBI) 

Subject: FW: PR/TT Example 

SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


b6 

b7C 

b2 



3en_pony.PDF (149 
KB) 


Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 
Federal Bureau of Investigation 
p h \ I 

Cell ^ I 

Ph (Secure ) \ 

Fax -I I 


SENSITIVE BUT UNCLASSIFIED 


SENSITIVE BUT UNCLASSIFIED 


SENSITIVE BUT UNCLASSIFIED 


ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 09-24-2008 BY 60322UC/LP/STP/gj g 


1 



From: 


c 

Sent: 


J 

To: 


L 

Subject: 


R 


l/ORCON.NOFORN 

RECORt 



SEBR61 

1<0TD> (FSI) 


](OTD) (FBI) 


*b6 1 

blC 




(HO) (FBI) 


RE: 2ND DRAFT EC REQUESTING CEAU ASSISTANCE 


(S) 


Can you call me ASAP? I need some additional info regarding 


b 2 

hlE 


— Originai Message — 

From: | [ (HO) (FBI) 

Sent: Thursday, Decemb er 21, 2006 10:13 AM 

To: 1 I fOTm (FBI) 

Subject: FW: 2ND DRAFT EC REQUESTING CEAU ASSISTANCE 

Importance: High 

7/qrconnoforn 


b6 

b7C 



(S> 


bl 


Just wanted to make sure you were aware of this. Any thing you need me to do? 


— Original Message — 

From: | [HO) (FBI) 

Sent: Tuesday, Decembe r 19/7 u06 2:45 PM 

To: I H O) (FBI) 

Cc: I 

Subject: FW: 2ND DRAFT EC REQUESTING CEAU ASSISTANCE 

Importance: High 




(HO) (OGA);[ 


l(HO) (OGA);[ 


■SECRei 

pORCON.NOFORN 

RECORE 




JHO) (FBI) 


FYI, it looks like this is being supported by CEAU, and they 

We| I ar p putting tq aether an affidavit for the AUSA to 
CEAu s a6c | before we send to the AUSA. 


should be reaching out to you, at some point. 

get a court order. We’re hoping to get some input from 


We won't set a date to take to the court until everyone’s ready, as the 10 day period kicks in as soon as it’s signed. 
Does | get involved in this, or are you our POC for all things CIPAV related? 


Thanks. 


— Originai Message — 

From: \ I (HO) (FBI) 

Sent: 14, 2006 3:32 PM 

To: I (OTP) (FBI) 

Cc: t J (HO) (OGA); | 


DATE: 02-12-2009 

CLASSIFIED BY 60322UC/lP/STF/gjg 

SEASON: 1.4 (C) 

DE CLASSIFY OH: 02-1 2-2034 
JCHO) (OGA); | [ HO) (FBI) 


S 


1 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 





Subject: 2ND DRAFT EC REQUESTING CEAU ASSISTANCE 

Importance: High 


RECORD 

fS) 


« File: 348wdb01 .wpd » 


Per our discussion today, please see the attached EC and let me know if it looks sufficient for utilization of CIPAV in 
support of our case. If not, please suggest any changes, corrections, etc., and they will be made. 

b6 

Many thanks. b7c 


-b7C 

b2 


Ho uston Squad CT- 5 
(C) 


DERIVED FROMr€L-3 FBI Classification Guide G-3. dated 1/97, Foreign Counterlntelliaenc investigations 






(OTP) (FBI) 




i 


b6 

From: 


J(OTD) (FBI) 


b7C 

Sent: 

Thursday. December 14, 2UUb 5:01 PM 



To: 

1 IfOG 

}C) (FBI) 



Cc: 

J 

TD) (FB0 

|(OTD) (FBI) 


Subject: 

RE: Search Return and Collection 




Follow Up Flag; Follow up 

Due By: Tuesday, December 19, 2006 9:00 AM 

Flag Status: Completed 


SECRET//ORCON.NOFORN 
RECORD! I 

<S) 

r— I 


Concerning the Houston matter, execute using simplest tool possible pending proper legal authority. 

□ 

— Original Message — 

From: I I mm (FBI) 

Sent: . Thursday. Dprpmhfr 14, 2006 2:13 PM 

To: I i OTP) (FBI) 

Cc: 1 |(OTD) (FBI): I l (OTD) (FBI) 

Subject: . Kt: search Return and Collection 


bl 

b6 

b7C 


SECREJ//ORCON *NOFORN 
RECOR 


* 


□ 


(S) 


The list below looks good. 


b2 

b7E 

b7A 


1 ^ 

Jim l 

1 He understands the lenal 


raqiiirfimants and ha unriarfitanris that at most ha will naj 

only circumstantial evidence! I 

He wants to do it. Case Agent will be calling! 

with details. 

las this is a criminal case,l ~ 

~land qiven that the AUSA only needsT 

1 


1 T 



1 


b5 


Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 


Fed 
Ph J 
Cell 


sral Bureau of Investigation 


Ph ( Secure) T 
Fax { 



DATE; 09-26-2008 

CLASSIFIED BY Q322UC/LP/STP/gjg 

PEAS OH: 1.4 (C) 

DECLASSIFY OH: 09-26-2033 


— Original Message — 

From: \ [ OTP) (FBI) 

1 


b6 

b7C 

b2 


ALL INFORMATION CONTAINED 
HEPEIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 







Sent: Thursday, Dece mber 14, 2006 12:58 PM 

To: ' I K OG C) (FBI) 

Subject: RE: Search Return and Collection 

SECRET//ORCON.NOFORN 

recorI 1 


bb 

blC 


Gentlemen, 


To continue with the theme that a split of this mission has caused difficulties, it should be n oted that las t evening, 
CEAU had additional success in testing our planned solution. However, this morning, AGC R eviewed 

the current order is not adequatel SPU identifies the 

l (so iden tified in the dra ft EC that 

was not shared with CEAU until 12/12/2006). This information has been communicated to l InSLB for 

correction in the new order. \ ~~~~~~ 


Further, 


if SPU had been successful in their attempt^ 

situation as well. The old saying “Fools rush in...” comes to mind. 




hi 



b2 

b7E 

b7A 

b6 

b7C 


— Original Mess age — 

From: | I jOTP) (FBI) 

Sent; Wed nescfayJ December 13, 2006 7:08 PM b 6 

To: I l(OT WFBtt: DICLEMENTE, ANTHON P. (OTD) (FBI) b7C 

Cc: I i (OTD) (FBI) 

Subject: RE: Search Return and Collection 


SECRET //ORCQN.NQFORN 
RECORd 


(S) 


The timeline is attached. There have been multiple problems with getting this matter successfully deployed, 
not the least of which has been difficulty with coordinating efforts between the two entities involved, SPU and 
CEAU. Specifically, this lack of coordination manifested itself in the following: 


1 . CEAU was unaware of the amount of information that SPU had concerningf 


This was critical and lead to unnecessary delays. 



lack of direction concerning CEAU's role in this matter. 


Finally, this was one of many cases that CEAU/SDG was working on at the time, with successful deployments. 
In fact, CEAU has so many currently pending operations that I have borrowed an SSA from DITU to work an 
overseas matter. A full accounting will be forthcoming shortly. 


3 


b6 

hlC 





« File: Pittsburgh case.doc » 


— Original Mess age — 

From: I I fOTDVFBR 

Sent: Wednesday, December 13, 2006 5:08 PM 

To: DIQFMFMTE . AfUHHN P. (OTD) (mi 

Cc: | |(OTD) (FBI); ] I f OTD) (FBI) 

Subject: RE: Search Return and Collection 

SECRET//ORCON.NOFORN 
RECORE| f 


be 

b7C 


bl 


Tony, 

Did you get the timeline yet? 


-Original Message — 


From: 

Sent: 

To: 

Cc: 

Subject: 

Importance: 


DICLEMENTE, ANTHON P. (OTD) (FBI) 
Wednesday, Decem ber 13, 2006 3:30 PM 

toT pyren 

](OTD) (FBI); 


FW: Search Return and Collection 
High 


SECRET//ORCON.NOFORN 

record ) | 

(S) 

| | - FYt re the return for | 

Anthony P. DiClemente 
Chief, Digital Evidence Section 
Operational Technology Division 


](OTD) (FBI) 


b6 

b7C 


bl 


b2 


— Original Message — 

From: I ' l (OGC) (FBI) 

Sent: Monday, December 11, 2006 3:59 PM 

To: I I OTP) (FBD: I 

Cc:. DICLEMENTON THON P. ( OTD) (FBI) J 

- OG^ 

| ( PG) (FBI) j 

Subject: FW: Search Return and Collection 

Importance: High 


SECRET/yQRCQN.NQFORh 
RECORC 



ICC vDI (FBI) . 

-JCvD} (FBI);1 

T3) (FBI); L-_..— 1 

PG) (FBI); | 


, rCTD) (FBI); 

]5SAF. (OGC)(FBI 



bl 


b7E 

b6 

b7C 


SPU forwarded a draft EC to! lin November for his revi ew l I 

~ - - - - - | conversation with! 

this morning, he has drafted the portion of the r eturn related t d 

not need further information from us. A d I is aware, the actual search and surveillance has not 
yet been effected. ..we anticipated execution of the search/surveillance authority to occur 

4 








tomorrow... SPU will provide ad ditional input ] 

support of this effort. J'l defer t q I and the operational side to provide more details on what's 
going on there.... 


i i 

Assistant General Counsel 

Science and Technology Law Unit 

Special Techno logies and Applications Office 


b2 

b7E 

b7A 

b6 

b7C 


— Original Messa ge — 

From: 

Sent: 

To: 

Subject: FW: Search Return and Collection 

Importance: High 


t CvD) (FBI) 
Monday. December 11, 2006 3:34 PM 
I . ""I fOGQ (FBI) 


SECRET/, 

RECORD 


FYI 






<S) 


bl 


Original Mess age — 

From: jf 

Sent: 

To: 


L 


l (CTD) (FBI) 

Monday, Decemb er 11, 2006 12:37 PM 


JOTD) (FBI); 



IfCyD) (FBI) 


tc: 

LULLtrctm t, AN lilUlM K. (UlUHrBlJl 

1 foGrvFRivJ 

rag 

□CTD) (FBI);f 


f KPG) (FBI); | 

_J(PG) (FBI)I 

Subject: 

Importance: 

Search Return and Collection 
High 


SECRET//ORCON.NOFORN 

recordI 1 


All. 

(S) 


Referencing 

telephone call with OGC Attv[ 

H]l2/11/06: 


bl 


b6 

b7C 


l(Cy,P) (FBI);, 

n>) (FBi); | I 

OGCXFBI) 


b2 

b7E 

b7A 

b6 

b7C 


CTO needs the Search Return for the conducted survey as soon as possible, today if po ssible. 
Unbelievably even more important, to state the obvious, we, the FBI, need to collect intel|~~j" 



SPU- Does PG have what they need to submit the Search Return? CTD needs that Search Return 
as soon as possible, if not today. 

CEAU- CTD briefed the FISA Review Board that 12/18/06 was the projected collection date. Legally, 
we need collection even sooner, if possible, for presentation to the FISC. Upon 

collection, please provide PG with the specifics so that they can submit the Search Return. 

OGC- Legally, are we on point here? 

PG- Any operational highlights? b 6 

j 1 b7 

Not intending to add to the administrative requirements, please copy myself and] |on 

all communications, e-mail and telephone calls, to ensure proper coordination of efforts. CTD is 
required to coordinate the efforts of FBIHQ/CTD, FBI PG, CEAU/OTD, OST/SPU, OGC/NSLB, and 
OIPR, and answer to the FISC. 


Thanks 


5 


s 


T 





s 


ssa| 

FBIHQ/CTD/LX1 
ITOS 1/CONUS 1 
Rm 4W158 
Desk 
Pgr 

Internal Secure 


b2 

b6 

hlC 



DERIVED FROM: G-3 FBI Classification Guide G-3, dated /I /97, Foreign Counterintelligence 


Investigations / 

DECLASSIFY ON: 20311211 / 

^BECRETV/ORCON.NOFORN / 


DERIVED FROM: G-3 FBI Classification Guide G-2, dated 1/97, Foreign Counterintelligence 


Investigations / 

DECUVSSIFY~ON: 20311211 / 

secre1v/orcon.nofor¥ / 


DERIVED FROM: G-3 FBI Classification 


Investigation 

DECLASSIFY OiN: 20311211 
SECRET //ORCON .N OFORN / 


lide G-3, dated 1/97, Foreign Counterintelligence 


DERIVED FROM: G-3 FBI Classification Guide G-3j dated 1/97. Foreign Counterintelligence 


Investigations \ / 

DECLASSIFY ON: 203*1211 / 
SECRET//ORCON.NOF0RN / 


DERIVED FROM: G-3 FBI Classification Guide G-3, dated 1/97^ Foreign Counterintelligence 


Investigations / \ 

DECLASSIFY ON: 20311214 \ 

SECRET//ORCON.NOFORN \ 


DERIVED FROM: G-3 FBrClassification Guide G-3, dated 1/97. Foreign Counterintelligence 


Investigations / \ 

DECLASSIFY ON: 203*1211 \ 

SECRET//ORCON.NOFORN \ 


DERIVED FROM: G-7FBI Classification Guide G-3, dated 1/97, Foreign Counterintelligence Investigations 


DECLASSIFY ON: 20311211 


SECRET//ORCONjNOFORN 


DERIVED FROM: JG-3 FBI Classification Guide G-3. dated 1/97. Foreign Counterintelligence Investigations 


DECLASSIFY OH: 20311211 
SECRET//ORC0N.NOFORN 


n 


DERIVED FROM: G-3 FBI Classification Guide G-3, dated 1/97, Foreign Counterintelligence Investigations 


DECLASSIFY ON: 20311211 


SECRET//ORCON.NOFORN 











. (Rev. 01-31-2003) 


s etwt^oh r nf rfTTiinr qd n 

FEDERAL BUREAU OF INVESTIGATION 


Precedence: PRIORITY 


Date: 12/14/2006 


To: Operational Technology 


Attn: 


Cryptologic & Electronic 
Analysis Unit 


UC I ..,.1 

SSA 


b6 

b7C 


From: Houston 

CT-1 

Contact : SA 


Approved By: 
Drafted By: 
Case ID U: 
Title: 


]wdb 



( Pending) 

>. V.I 

(S) 


Full Investigation Initiated: 01/11/2005 (USPER) 


be 

b7C 



bl 

b7A 

b2 

b7E 


<S) 


DATE: 12-23-2008 

CLASSIFIED BY 60322TJC J /LP/STP/gj g 

PEAS OK: 1.4 (C) 

DECLASSIFY OK: 12-23-2033 



ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
TJHEPE SHOOT 0THERUI SE 












SB 



(U) Houston Division has developed a Confidential 
tf) who is willinq to assist with this investigation by 







SECRET//ORCON/NOFORN 


To : 
Re : 


Hpprahinnal ngy From: Houston 


(S) 


12 / 14/2006 

(S) 


bl 


LEAD(s) : 

Set Lead 1: (Action) 

OPERATIONAL TECHNOLOGY 


AT CRYPTOLOGIC & ELECTRONIC ANALYSIS UNIT 



♦♦ 


SECRET//ORCON/NOFORN 










* 



SS4 

Software Development Group (SDG) 
Cryptologic Electronic Analysis Unit (CEAU) 
Digital Evidence Section (DES) 



Operational Tech nology Division (OTD) 
Jfdes/cj 
(cell) 


b6 

blC 

b2 





From: 

Posted At: 
Conversation: 
Posted To: 

Subject: 

Categories: 



lfOTDHFBI) 


[ 


](OTD) (FBI) 


(S) 


(S) 


-■Wednesday. December 06, 2006 10:33 AM - 

Concerning Conversation w/[ 

pnone conversations 


Concerning Conversation w/[ 


on 12/6/2006 


on 12/6/2006 


Document Phone Conversation 


b6 

b7C 



Telephonically contacte d l and advised him that the request for CIPAV technology for use in the subject 

investigation was problematic due to the following concerns: bl 



5. Requested that HO forward an EC providing a sysnopsis of the case, what they are trying to accomplish with the use of 
CEAU’s technology, and a lead requesting assistance with the case. 


DATE: 02-12-2QQ9 

CLASSIFIED BY 60322UC/LP/STP/gj g 

REASON: 1.4 (C) 

DECLASSIFY OH: 02-12-2034 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOOT OTHERWISE 



1 




b6 

blC 


From: 

Sent: 

To: 

Cc: 

Subject: 


l(HO) (FBI) 
CIPAV REQUEST 


;HO) (FBI) 

31 , 2006 4:58 PM 
tHOI (QGA);|__ 
NO) (FBI); 


l(HO) (FBI); 


SECRET//ORCON.NOFORN 

RECORd 


(S) 


[ with CEAU at ERF, phone l L advised that he would like an explanation of what it is you want to 

accomplish with the CIPAV request. He would also like to review the proposed affidavit/court order for the CIPAV. Upon 
receipt of this info, he can prepare the CIPAV which can take several days. Please contact him as soon as possible to 
provide info requested. Thanks. 


Squad SO-1 
Houston Division 


b6 

b7C 



— Original Message 

From: 

Sent: 

To: L 

Subject: k! 


|(HO) (06A) 

nber 27, 2006 11:01 AM 
J(HO) (FBI) 


SECRET//! 

recordT 


IN.NOFORN 


Thanks for sending this to me 

— Original Message — 

From: | ~l (HO) (FBI) 

Sent: Monday, Novem ber 27, 2006 9:36 AM 

To: 1 1 (H01 (OGA) 

Subject: FW: FISA 

SECRET//QRCON.NOFORN 

RECORd 


Original Message — 

From: I 


Sent: 

To: 

Cc: 

Subject: 


l(HO) (FBI) 

Friday, Novembe r 17, 2006 2:53 PM 
| (HO) (FBI); | 

— tH d) mv: 


:HO) (OGA) 


(HO) (FBI) 


SECRET//ORCON.NOFORN 
RECORd I 


DATE: ■ 02-12-2009 

CLASSIFIED BY 60322UC/IP/STP/gj g 
REASON: 1.4 (C) 

DECLASSIFY ON: 02-12-2034 


(S5 


S 


T 


1 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 




I com pleted t he RMS requests. All ERF needs now is a copy of the FISA order. So in addition to m yself, I l and 
( include I l (CEAU). who is assigned the CIPAV request, and I t DITLO. who is 

assigned the email intercepts, in the email with the FISA order attached. Also briefly describe in the email what you 
will be wanting from both CEAU and DITU. List your contact info in the email and this will start the ball rolling. 
Thanks. 


— Original Message 

From: I ~1( HQ) (FBI) 

Sent: Friday, November 17, 2006 2:08 PM 

To: IfHOl (O GA1 , 

Cc: K HO) (FBI); I T HO) (FBI) 

Subject: RE: FISA 


b6 

b7C 


SECRET//ORCON.NOFORN bl 

RECORD[ H 

(35 


When you get the email with attachments, forward to me, and I I Both l l and I 

wilt be out next week sc | I vill be available to get this started iFyou don’t get it today. As soon as we get the 
order, we will forward to ERF and request via RMS their assistance with both the email and CIPAV requests. 


Thanks. 


Original Mess age 

From: I l (HO) (OGA) 

Sent: Friday, November 17, 2006 11:52 AM 

To: I KHO) (FBI) . 

Cc: 1 l (HO) (FBI); I l (HO) (FBI) j | (HO) (OGA) 

Subject: FISA 


b6 

b7C 


SEC RET//O RCON.NOFORN 
RECORq 1 


Hi 


bl 


( 3 ) 


Just a follow up to my telephone message. It ooks like the FISA will be going to co urt today (I have not heard 
.anything, fin, inst niv.inn.vnii.a.bpads up. 

* have also talked to ,+ 


When I hear something, ill let you know. 
Tha nks 


jtoday about this case. 


b7E 


r 


DERIVED FROM: G-3 FBI Classification Guide G-3. dated 1/97. Foreign Counterintelligence 
(tiaations 

DECLASSIFICATION EXEMPTION 1 

secret/zorcOnhooforTT 


DERIVED FROM; G-3 FBI Classification 



. Foreign Counterintelligence Investigations 


DECLASSIFICATION EXEMPTION 1 
SECRET//ORCON.NOFORN 


DERIVED FROM^O^FBI Classification Guide G-3, dated 1/97. Foreign Counterlnteillgi 
DECLASSIFICATION EXEMPTION 1 
SECHET7/ORCON.NQFQRN~ 




kOTD) (FBI) 

Subject: CIPAV fo£ 

Status: Not Started 

Percent Complete: 0% 


Total Work: 0 hours 

Actual Work: 0 hours 


Owner: 


](OTD) (FBI) 


b2 

b7E 


h6 

b7C 


Snnito 'Ajjthl iMnnrtaw nn PriHaw norpmhiar 1 bOOfi rffMO nflarr^ 


bl 


From: 

Sent: 

To: 

Subject: 


](CTD) (FBI) 


<S) 


(SJ 


Friday, December 01. 2006 9:22 AM 
| |(O TD) (FBI) 

CfPAV fo | 


b6 

b7C 

b2 

b7E 


SECRET 
RECORD 31 5N 


Thic ic cnm^thinn that mill rurnh-ahUi onanhnllw ha 


deployed to aif 


Thanks, 


<S) 


b2 

b7E 



ss rt 

CTD-CXS. EPP S 

[desk 

cell 

[pager 


b2 

he 

b7C 


DERfWEDrFROWr4T"3 FBI Clnnsification Guide G-3. dated 1/97. Foreign Sflu nterigtet tigencg tngestjflations 
DECLASSIFY ON: 20311201 
SEI 


DATE: 02-10-2009 

CLASSIFIED BY 60322UC/LP/STP/gjg 
REASON: 1.4 (C) 

DECLASSIFY ON: 02-10-2034 


ALL INFORMANT ON CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 








From: 

Sent: 

To: 

Cc: 

Subject: 


(OTP) (FBI) 


j{OTD) (FBI) 

uesday, November 28. 2006 6:34 PM 


I f OTD) (FBI] 

I l ogs) (FB1)C 


] (OTD) (FBI) 


RE: CIPAV court orders - Re 31 5Q-SL-1 91661 (Case Agentl 


b6 

b?C 


SENSITIVE BUT UNfetASSTflED 
NON-RECORD 


Silly question here, but this message says that these were signed on 22 November. [ 


3 


— Original Message — 

From: I 

Sent: 

To: 

Cc: 

Subject: 


] (OGC) (FBI) 


Tuesday- Nnuemher 28, 2006 4:21 PM 

LOTO) (FBI); I 

r OTD! (FBI) 1 


](0TD)(FB11 


Togo (fbh 


CIPAV court orders - Re 3 lSQ-SL- 1916611 (Case Agent 


SENSITIVE BUT UNC 



](OTD) (FBI) 


NON -RECORD 


D 


b6 

b7C 



Please ensure, absent a signed renewal order in hand, that CEAU's exploits are removed fron{ 
this expiration date/time. 


Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 
Fed eral Bureau of Inv estigation 
Ph -I 
Cell 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
“WHERE SHOOT OTHERWISE 



Ph ( Secure) 
Fax -1 


DATE: 02-10-2009 

CLASSIFIED BY 60322UC/LP/STP/gj g 

REASON: 1.4 (C) 

DECLASSIFY ON: 02-10-2034 


b2 

b6 

b7C 









b6 

b7C 


bo 

i have access to FBINET). These concern b7c 
[Yo u probably afready have his number, but if hi 
~] Thanks. b2 

b7E 






From: 

Sent: 

To: 

Cc: 

Subject: 

Importance: 


lfOTDHFBJ) 


l (OTDHFBI) 

Tuesday, November 2 8. 2006 5:14 PM 

] (OTD)(FBI) 


-i n . . i \ ~ /V 

](OTD) (FBI){ 


JOGC) (FBI); 


(FBI) 

FW: CIPAV court orders - Re 315Q-SL-1 91661 (Case Agent[ 
High 


be 

b7C 

OTD) 


Follow Up Flag; 
Flag Status: 


Follow up 
Flagged 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD " 



It will be the case agent responsibility to get the renewal authorization to us well in advance to give the largest window of 
opportunity possible. 


I | will address this with the case agent and send a reminder. 

| Its the POC and he will coordinate with the field. 


If you have questions please give me a call. 


Unit Chief, Cryptologic & Electronic Analysis Unit (CEAU) 
Digital Evidence Section 
Operational Tec hnology Division 


b6 

b7C 

b2 


— Original Messa ge--— 

From: I l oGC) (FBI) 

Sent: Tuesday, November 28 , 2006 4:54 PM 

To: ,1 JZ~tOTD)(FBI) J l( OTD) (FBI) 

Cc: I l iOTP) (FBI): I K QTD) ( FBI) 

Subject: RE: CIPAV court orders - Re 315Q-SL-I91661 (Case Agent l D 

mportance: High 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


DATE; 02-10-2009 
FBI I UFO . 

CLASSIFIED BY 60322UC/LF/STP/gj g 
REASON: 1.4 (C) 

DECLASSIFY ON: 02-10-2034 


b6 

b7C 


bl 



ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
TiJHERE SHOWN OTHERWISE 







1 


Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 


Fed 

Ph 

Cel 


eral Bureau of Investigation 


Ph ( Secure) f 
Fax - I 


b2 

b6 

b7C 


— Original Message — 

From: I I rOTDKFBI) 

Sent: ,TuSSdav l .„Nnvf.piber 28, 200 6 4:41 PM 

To: I 

Cc: [ 


(OTD) 


£2£C) (FBI1 : 1 ' "VoTp t (FBI) 

l (OTD) ( 

Subject: RE: CIR£V court orders - Re 315Q-SL-191661 (Case AgentJ 


(OTD) (FBI) 


SENSITIVE BUT UN < 
NON-RECORD / 


IS1FIED 


bl 

b2 

b7E 

b6 

b7C 


Thanks 



( 3 ) 


Information Technology Specialist 
Operational Technology Division 
Office -1 
Mobile 
Pager -I 


- — Ori ginal Message — 

From: I "I fOGCHFBI) 

Sent: Tuesday, November 28, 2006 4:21 PM 

To: I K OTD) (FBI)C=====— ](0 TO )(FBn m 

Cc: I n iOTP) (FBI) ] F oGC HFBIH I OTP) (FBI) 

Subject: CIPAV court orders - Re 315Q-SL-191661 (Case Agen j j 

SENSITIVE BUT WtekASSIFIED 
NON -RECORD X X 


be 

b7C 



SE&RET 







be 

i 

blC 



1t°TD) (FBI) 

From: 

Sent: 

To: 


koGC) (FBI) 

Tuesdav. November 21. 2006 3:00 PM 

“ISUfFBD 

Subject: 


RE: CIPAV court orders 


SENSITIVE BUT UNCP^SSlFIED 
NON-RECORD 


One comment that has come in from my unit re the draft orders that should be forwarded to AUSA | ~~} is that he should 
also cite to the All Writs Act, 28 U.S.C. § 1651(a), given that neither Rule 41 nor 31 17 provides for the ongoing 
execution of a SW-surveillance. 


assistant general Counsel 
Science and Technology Law Unit 
Office of the General Counsel 
Federal Bureau of Investigation 
Ph 


Cel 

Ph (sjaci J 
Fax 


T 


] 


b2 

b6 

hlC 


— Original Mp^qp — 

From: k si)(FBI) 

Sent; Friday, Novemb er 17, 2006 6:54 PM 

To: I l oco (FBI) 

Subject: CIPAV court orders 


SENSITIVE BUT UNttASSlfjED 

non-recoreT ^ 


b6 

b7C 

b2 

b7E 

bl 


~l rriA in thPSP tn vnu fnr unnr rsvigw (ha does not havn access to FBINET). These concern 

[ou probably already have his number, but if 

not, you can reach him at | | or can reach me at l I Thanks. 



SENSITIVE BUTJJN CLASSIFIED 


SENSITIVE BUT UNGtASSIFI 



DATE: 10-15-2003 

CLASSIFIED BY 6G3ZZUC/U /STV/q jg 

REASON: 1.4 (C) 

DECLASSIFY ON: 10-15-2033 



ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
IiTHEFZ SHOOT OTHERWISE 




b6 

b7C 



From: 

Sent: 

To: 

Cc: 

Subject: 


[ 


Tuesday. October 


]SL)(FBI) 


2006 4:29 PM 
OTD) (FBI) 


_Q3, 

1° 

lSL 


SL) (FBI); 


KSL) (FBI) 


FW: St Louis CIPAV issue - witn auacnments 


Follow Up Flag: 
Due By: 

Flag Status: 


Follow up 

Wednesday, October 04, 2006 9:00 AM 
Flagged 


SECRET 

RECORD 315o-sl-191661 


]asked me to get in touch with you on the CIPAVs we are wanting to deploy. Just in case you 
don't have them, here is the affidavit and the search warrant language we were planning to use for 
our CIPAVS. I see you already have my explanation of the case (in the email string below). Our 
AUSA has looked at the affidavit w arrant lan guag e and is ready to go on our end to get the search 
warrant and PR/TT orders. I know ! ~b nd | [ discussed the classification issue on the devices, 
and that seems to be the only outstanding hurdle to getting this done. The summary of the case 
outlined in the email string below should help you evaluate the case with respect to that restriction. 
Can you take a look at that summary and let us know what you think about whether this restriction 
applies? f l 


l Anvwav. please let me know if there are 
any other items you need/things you need us to do/changes you need us to make to either 1 ) get 
this process started, or 2) reach the conclusion that we are wasting our time and this technique is 
not going to be possible on our case. Thanks in advance for your help. 





] 




SL JTTF 






(cell) 




<S) 


Original Message ( 




lang ue 

l 

□ SL FBI 


owr lb 

Wednesday, September 27, 2006 11:26 AM 


tn i£ 

1 

KSLXFBI) 


.pdo(r ue 

l-w: bt LOUIS 

CIPAV issue * with attachments 


Secret 






DATE: 12-24-2008 

CLASSIFIED BY 60322UC/LPySTPy?jg 
PEAS OH: 1.4 (C) 

DECLASSIFY OH: 12-24-2033 


bl 


be 

b7C 


b2 

b7E 

b6 

b7E 

b5 


ALL INF0RHATI0N CONTAINED 
HEPEIN IS UNCLASSIFIED EXCEPT 
THERE SHOWN OTHERWISE 







RECORD 315q-sM91661 


— Original Mess age 

lang ue I I fOTD’) (FBI) 

owr Tuesday. Septe mber 26, 2006 11:22 AM 

tn le I IfSU (FBI) 

5( te I I fOTPI (FBI); I 

.pdo(r ie RE: St Louis C3PAV issue - with attachments 

SECRET 

RECORD 315q-sl-191661 


](OTD) (FBI) 


Let me take a minute to introduce myself. I am 


the new program manager for the 


Software Development Group (SDG). SDG handles ail software deployments in CT, Cl, and 
Criminal investigations for CEAU. Please contact me for all future inqueries regarding your case. 
My contact info is as follows: 


be 

b7C 

b2 


SSA | | 

Supervisory Special Agent 
Operational Technology Division 
Digital Evidence Section 
Cryptologic El ectronic Analysis Unit 
[(office) 

|(cellular) 

b6 
b7C 


SECRET 

RECORD 315q-sM91661 


(SL) (FBI) 


— Original Message- 
lang ue I 

owr & Tuesday. Septembe r 26, 2GQ6 9: 27 AM 
tn ie ^ 

5(ie t 

.pdo(r 


J(OTD) (FBI)T 
JOTD) (FBI)J_ 


i£ RE: St Louis OPAV issue - with attachments 


“Ksdcfbi) 

JCOTD) (FBI) 


I thanks yet again for the good insight and info. I'm not su re point 2 is a show stopper: you're 
right - this case was originally pretty much straight criminal. I i 


We'll get to work on this end and keep you guys in the loop as we go. Would you prefer we deal 
with someone else in your unit for the day-to-day aspect of this case? 

Talk to you soon 


b2 

b7E 

b6 

b7C 


Sit I nuic 


desk 

cell 


— -Original Message 

lang ue | 


l(OTD) (FBI) 




b6 

blC 


owr Lfi Monday, Septe mber 25, 2006 4:44 PM 

tn i£ J Irs u (FBn:l lSL)(FBn 

5( i£ | K OTO) (FBI); | t OTD) (FBI) 

.pdo(r u&E: St Louis C3PAV issue - with attachments 

SECRET 

RECORD 315q-sM91661 


Thanks for reminding me. With several cases from the same FO, it is difficult to keep them 
straight. 

There were several issues with this particular case, some easily overcome, and one that 
may be a show stopper. They are as follows: 



b2 

b7E 

b5 



Case Classification. 



b2 

b7E 

b5 


Those are the issues thus far. I have included the Unit Chief and the Program Manager for 
these ops on this message as well. 


□ 


— Original Messa ge — 
lang ue I l cSL) (FBI) 

owr ip Frid ay. September 22, 2006 10:14 AM 

tn |(OTD) (FBI) 

.pdotr ia Sftouis QPAV Issue • with attachments 


b6 

b7C 

b2 

b7E 


SECRET 

RECORD 315q-sl-191661 


I resent you the emai l j wrote on the deal - you have to forgive him, we're 

still trying to teach him the beauty of brevity. 







Original Mes sage 

lang ue | K SL)(FBI) 

owr Lg ' Friday, JSeptemDer i2, 2006 9:12 AM 

tn j l (SLI (FBI) 

.pdo(r i£ FW: St Louis CIPAV issue - with attachments 

SECRET 

RECORD 31 5q-sM 91 661 


— Original M< 
lang ue 
ow rie 
tn i d 

5(uj 

,pdo(r ifi 


I neuron 

Thurs day, Septpmhpr 14 1f}:21 AM 

~~^(S L1fFBIl i (OTD) (FE 

HfrOTP) (FBD; | ;SL) (FBI); 

A, (SL) (FBI) 

RE: St Louis CIPAV issue - with attachments 



SL) (FBI) 


SECRET 

RECORD 31 5q-sM91661 



RECORD 315a-sM91661 


□ 


(U) Ref our telcall on Tuesday, as you requested, I have attached the draft 
affidavit/warrant language we are planning to use (if we can clear all the 
hurdles) for installation of the CIPAVs here in St Louis. If we get the green 
light on this first effort, we will likely also be doing another affidavit 



(U/FOUO) 


S 





b6 

b7C 



(OTP) (FBI) 




A few points. The or der forf 
language of the order| 


is for a 30 day period while the PRT&T is for 60 days. The 
l in my opinion over-rid es the la nguage, in this rasp oLthp EenTrap. So, you 
have limited your collection to 3(5 days. I suggest that you ask AUS f \ ~j to amend the j | order to extend it 

to 60 days (sen 31 17 ri ngsrVt nmvidebme limits ahsmt snrno reason that I'm not aware of. Seems inconsistent to ask 
for 30 days| p ut then ask for 60 days to capture PenTrap information - the 


b6 

b7C 

b2 

b7E 


lorder provides forf 


Another point is that thd 

software) for 30 days 

the exploit must be removed consistent with the order, that is, wjl 
I see this as a source of trouble should the court sign this order. 




[ the CEAU 

It does not make clear when 


ter thfi.aQifa dav of collection of rial 


3 


wording of the order on this point but clarification would be helpful. 


] If this is your intent then I have no problems with the 


While I see AUS>( [point that| las defined by the statute, as a matter of practice 

I haven’t seen this before. I want to run if by my unit cruet and see It he nas any comments to add. All that said, CEAU 
hasn't used their tools in this manner before so we are setting a new course. 


Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 
Federal Bureau of Investigation 
Ph-j 

Ceil . 

Ph (Secure) -I 1 

Fax - 1 I 


b6 

b7C 

b2 

b7E 


Original Message — 

From: j | (SL)(FBI) 

Sent: Friday, November 17, 2006 6:54 PM Dir^nur. i a tr\ 

To: \ k OGQ (FBI) PEAS ON. 1.4 (C) 

Subject: CIPAV^court orde 


SENSITIVE BUT U 
NON-RECORD S 


C==i 



DATE: 02-10-2009 

CLASSIFIED BY 60322UC/LP/STP/gj g 


DECLASSIFY OH: 02-10-2034 


SSIFIED 




ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
7IHERE SHOOT OTHERWISE 


me tn spnri thpsp tn vnu fnr,^iiLirj:evipw (he rinp^,.nni have access to FBINET). These concern 

[You probably already have his number, but if 

not, you can reach him at | 


or can reach me at[ 


] Thanks. 








From: 

Sent: 

To: 

Cc: 

Subject: 


l (OTD) (FBI) 

Thursday, Septe mber 14, 2006 3:13 PM 

I, tlQGC) (FBI) 

I -J(OTD) (FBI); I 

RE: CIPAV boiler piate/FISA boiler plate 


(OTD) (FBI) 


SENSfTIVE BUT UNCLASSIFIED 
NON-RECORD 


:b6 

hie 



bz 

blE 

b6 

b7C 


Finally, keep in mind, if I'm not mistaken, that these are two different cases. The one that shows on 
the original message in this chain is a likely FISA (IT) matter, while the one that I was asking about 
with the stolen laptops is a separate case. 


Original Mftssaap 

-Ori gn I I rOGC) (FBI) 

al M gi Thursday. September 14, 2006 1:43 PM b6 

ergi I [(OTD) (FBI) b7C 

asKIINM gi 1 hWI L1HAV OOi l &T fl ate/FI5A boiler plate 

SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 



r 


You'll have to decide this. 


b2 

b7E 

b5 


NSLB should be involved early on to resolve concerns about whether this is properly being 
worked as a FISA matter. 


ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 12-24-2003 BY 60322UC/LP/STP/gjg 





Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 


Fed eral Bureau of In vestigation 

Ph 4 

Cell 


Ph ( Secure) - 
Fax - | 


:b6 

b7C 

b2 


— Original Message 

-On gn | [(OGC) (FBI) 

al M cp Tuesday, September 05, 2006 1:01 PM 
er gi I 'l (CyO) (FBI) 

asKIINMgi RE: CIPAV boiler plate/ FISA boiler plate 

SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


b2 

b7E 


Finally, tell SL they must work with the substantive desk at FBIHQ and they must work with 
NSLB when drafting the order. NSLB actually drafts the order. 


Assistant (General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 
Fed eral Bureau of I nvestigation 
Ph- I ~1 

Cell -I 

Ph ( Secure) 4 

Fax | 



b6 

b7C 

b2 


— Original Message — . 

-on cn I I rcvm (FBI) 

al M gi Tuesday, Septem ber 05, 2006 11:35 AM 
er cn t K OGC) (FBI) 

asKIINM gFW: QPAV boiler plate/RSA boiler plate 

SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


( 2 ) 




As we discussed. be 

— Ori ginal Message — hlC 

-Ori gn( | (OTD) (FBI) 

al M gi Wednesday, Tfiigus t 30, 2006 2 :36 PM 

er gi I 1 (OTD) (FBI); | | (CyD) (FBI) 

asKIINMgFW: CIPAV boiler plate/FISA boiler plate 

SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


Please provide ! [ with the help he requests. 



— oriainaLMesaae— 
■Ori gnL 
al M gi 
er gi 
GNyi 


I (SL) (FBI) 


Wrtlnrelav Auntist 30, 2006 10:35 AM 
OTD) (FBI) 
(SLXF8I) 


asKIINM gdPAV boiler plate/FISA boiler plate 


SENSITIVE BUT UNCLASSIFIED 
NON -RECORD 


b6 

b7C 


□ I hate to admit this to you, but your presentation was very helpful last week. We talked 
about the CIPAV affidavit language your group has - I'd like to get some of that. 



b2 

b7E 


Thanks again 


St. Louis 


pesk 

Icell 


b6 

b7C 

b2 


SENSITIVE BUT UNCLASSIFIED 


( 3 ) 



r b6 , 
b7C 


From: 

Sent: 

To: 

Subject: 


WdXfsi) 


|(OTD} (FBI) 

Monday, November 20, 2006 5:24 PM 

l(HOWOGA) 

FW: CIPAV for i I 


b2 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


I forgot to mention in my previous email to you that your order does not contain the language required for OTD's 
technology. Your order must authorize "remote access search and surveillance (RASS)" prior to us deploying our 
technology. If you desire the use of our techniques, you will have to have your order amended. Please contact the below 
listed person so that he can provide you with the necessary language. 


Thanks, 

Kd 


Original Mess age 

From: I j (OTD) (FBI) 

Sent: Monday, Novembe r 20, 2006 4:25 PM 

I IfHOHOGA) 

Subject: CIPAV for i I 

SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


b2 

b6 

b7C 


I I forwarded me your email regarding your case and your request for OTD's CIPAV technology. This is the 

first I am hearing of your case. Could you please provide me with a synopsis of your case and what your objectives are. 
Please provide the aforementioned information via a lead EC. The requested information will allow me to determine what 
technology is best suited for your case and whether we can assist with this matter. 

If you have any questions regarding this request, fee! free to contact me at the below listed telephone number(s). 


Thanks, 

SSA i 1 

Software Development Group (SDG) 
Cryptologic Electronic Analysis Unit (CEAU) 
Digital Evidence Section (DES) 

Operational Technology Division (OTD) 
(desk) 

(cell) 


b6 

b7C 

b2 


SENSITIVE BUT UNCLASSIFIED 


SENSITIVE BUT UNCLASSIFIED 

1 

ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 12-24-2008 BY 6Q322UC/LP/STP/gj g 




From: [ 

(OTDMFBI) 

Sent: 

Tuesday. November 07. 2006 8:17 AM 

To: 

(OTD) (FRli 

Cc: 

FOGC) (FBI);I 

Subject: 

_RE: St Loujs CIPAV 

SENSITIVEBUTU 

NCl-ft5SiPJED 

RECORDl I 


(ITD) (FBI) 


b6 

b7C 


bl 

b7A 

b2 


One other concern is th e that the Affidavit calls out specifically that we will use CIPAV. I beli bl r 
the best tool' "for this % 4 fts that an issue? b2 


Personally I don’t like using our tool names in the affadavit. 


J... 


[ 

Information Technology Specialist 
Operati onal Technology Division 
Office - 
Mobiie 

Pager - 


b6 

b7C 

b2 




— Original Messane — 

From: 

Sent: r 

To: £ 

Cc: L 

Subject: RE: St Louis CIPAV 


3oTD)(FBI) 
er 07, 2006 7:57 AM 

J(OTD) (FBU 

|(OGC) (FBI) J 


(OTD) (FBI) 


SENSITIVE BUT UN 
RECORDj 


NCfe^SI 


SIFIED 


We have received the computers here at OTD. 
Are we cleared to have ! 


people open the boxes and for us to do the install? 


I do not know the status of the warrant. 


J... 


[ 


] 


be 

b7C 

b2 


Information Technology Specialist 
Operat ional Technology Division 
Office -| 

Mobile 
Pager -j 



Original Message 

From: i __ 

Sent: 

To: 

Cc: 


](OTD) (FBI) 


£ 


umiPBV 


November 06. 2006 6:29 PM 
(OTD)(FBI) 

(FBI) 


fifty 


Subject: FW: St Louis CIPAV 


DATE: 02-10-2009 

CLASSIFIED BY S0322UC/LP/STP/gj g 
REASON: 1.4 SC) 

DECLASSIFY 0IJ: 02-10-2034 



ALL- INFORMATION CONTAINED 
HE PE IN IS UNCLASSIFIED EXCEPT 
WHE RE SHOWN OTHERWISE 





SENSITIVE BUT 
RECORD! 



Original. Massaoa=rrr 

From: | 

Sent: 

To: 

Subject: FW: St Louis QPAV 


}sL)(FBI) 


■ Mnnrtov .artnha: 30, 2006 5:30 PM 
1 1 (OTD) (FBI) 


SENSITIVE BUT UNCI 
RECORDl 



b6 

b7C 



Also, based or l I concurrence on the legal side, do you want us to go ahead and 
send the computers? 


Thanks 


he 

hie 


Original Message — - 

From: I l fOGC) (FBI) 


Monday, October 30, 2006 3:55 PM 

rSL¥FBll 

BlKFBI); | 


Sent: 

To: 

Cc: 

E. (OGC) (FBI) 

Subject: RE: St Louis QPAV 


|(OTD) (FBI)[ 


SENSITIVE BUT UttCEffSSlFIED 
RECORD | 1 


JtOTD) (FBI); I 1 


b2 


hi 


<S) 


Absent the minor recommended additions in yellow in the above attachment, I concur with 
your drafts. Good job. 


Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 
Federal Bureau of Investigation 


( 2 ) 






for the use of the CIPAV. I have also included a draft of the language I am thinking to 
use of the PRT&T. Can you take a look and see what you think? Thanks again for all 
your help with this. 



( 3 ) 








From: 

Sent: 

To: 

Cc: 


Subject: 


(OGC) (FBI) 
Tuesday. October 31. 2006 2:59 PM 
^^J{CyD) (FBI)C 


Iq) (FBt)L 

KCI) ( FBlit 


l£Eli 


(FBi) f 
(AT) (FBljJ 


p (cvd)(fbF)T 


( FB, )I r 


}OTD) (FBI); 
IcyD) (FBI ):| 


RE: Web Bug for|_ 


1(CI) (FBI)f 


J p G) (FBIj; 


](N O) (FBI); [ 

MJrnL 


](OTD) 

IkCvD) 


](OG£) (f’Bi) 


](CyD) (FBI); 


b 2 


b6 

b7C 


UNCLASSIFIED 

NON-RECORD 


I've reviewed the materials and EC that you provided. Depending on what you want the CiPAV to do for your investigation, 

H certainly at least a search warrant. We can discuss this when you ancf"^ | 

I agree on what capabilities vou need from the CIPAV. 


b2 
b7E 
3 d 7 A 
3d 6 
b7C 





Ilf it is. then 

we will need to react and adiust vour ODerations accordinalv bv aettina reauired authorizations.! 

i 

1 | it is my opinion that at least a CIPAV set to provide Pen Register/Trap 

ana i raceTntormatton (sw ana i^k i & f orger) can be sought from your federal district court. 




get involved. We can sort this out when you have better information. 


Hope this helps, 


i 


Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 
Fed eral Bureau of Inv estigation 

k 


Ph 

Cell, 

Ph (Secure) I 
Fax 


be 

3d7C 

b2 


DATE: 02-10-2009 


Jd6 

b7C 


Subject: 


— Original Message 

From: 

Sent: 

To: 

Cc: 


Tuesday, flctfl 


kcyD) (FBI) 

2006 10:54 AM 


tor 31, 
lOGCl (FBI)J . 
|(Q)(FBi)1 


CLASSIFIED BY 60322UC/LP/STP/gjg 
REASON: 1.4 (C) 

DECLASSIFY ON: 02-10-2034 


Irnmi (FBI) 


Not rFBill 


(CI) (FBU 
Web Bug foil 


JCyD)(FBI)J 


m) (FBI)J 
|AT^ 


(PG)(FW)I 


kOrD) {FBI); 
KCI)(FBI);| 


JCyD) (FBlf 


] 


(CI) (FBI); 

fcnfFBD: 


UNCLASSIFIED 

NON-RECORD ALL INF0FHATI0N CONTAINED 

HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOOT OTHERWISE 




















Per our conversatio n [ the best background serial for the case is 


We are considering utilizing a CIPAV/IPAV in conjunction withj 
an affid|v it/.acctlifiaripn for the QPAY/JPAy in prdgi tQ-gmoloy. 


i We are curr ently draf ting 

he tool uoon the approval fpr" - 




We should get a draft application to you soon. 


SSA| 

Cyber Action Team Unit 
Computer Intrusion Section 
Cyber Division 
Room 5931 

935 Pennsylvania Avenue 

Washington, D.C. 20535 be 

'b7C 

b2 



The information transmitted is intended only for the person or entity to which it is addressed and may contain 
confidential and/or privileged material. Any review, retransmission, dissemination, or other use of, or taking 
of any action in reliance upon, this information by persons or entities other than the intended recipient is 
prohibited. If you received this in error, please contact the sender and delete the material from any computer. 



UNCLASSIFIED 





■b6 

b7C 




From: 

Sent: 

To: 

Subject: 


t sLMFBQ 

Mnnrtav fV.tnhpr 30 2006 6:30 PM 
l(OTD) (FBI) 
hW: St Louis C'lPAV 


b2 

SENSITIVE BUT UNCS^glFIED 
RECORDl 1 


(S> 


Any other configuration info that ya*ll need? 

Also, based on | I concurrence on the legal side, do you want us to go ahead and send the computers? 


Thanks 


b6 

b7C 


— -Original Message- 

From: I 

Sent: 

To: 

Cc: 

Subject: 


]0GC) (FBI) 

Monday, October 30, 2006 3:55 PM 
( ](SL)(EBn 


L 


RE: St Louis CIPAV 


Tm (fbi)[ 


(OTD) (FBI){ 


](OTD) (FBI); 


JOGC) (FBI) 


SENSITIVE BUT UNCLASSIFIED 
RECORD P 


bl 

(S) 


Absent the minor recommended additions in yellow in the above attachment, I concur with your drafts. Good job. 


Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 
Federal Bureau of Investigation 
P M 1 

Cell - I 1 


Ph ( Secure) -I 
Fax r 


DATE: 10-15-2008 

CLASSIFIED BY 60322UC/LP/STP/gj g 

REASON: 1.4 (C) 

DECLASSIFY ON: 10-15-2033 


b2 

b6 

b7C 


Original Message 

From: 

Sent: 


Sl)(FBI) 

Sunday, October 29," 2006 5:52 PM 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOOT OTHERWISE 








As we discussed, here is a draft of the search warrant affidavit and warrant language for the use of the CIPAV. I b6 

have also included a draft of the language I am thinking to use of the PRT&T. Can you take a look and see what you b7c 

think? Thanks again for all your help with this. 



2 






SECRET 

RECORD 31 SQ-sl-1 91 661 


If you can attend, it might save you some time in the long run. 


Assistant general Counsel 
Science and Technology Law Unit 
Office of the General Counsel 


Fed 

Ph 

Cel 


eral Bureau of Investigation 


I 


Ph (Secure ) 
Faxl 


b2 
b 6 
b7C 


!!!!!•'#$%$&■()*+./%+!!!!! 

From: o o 

Sent: e to mtF t tF t 

To: t t to t 

Subject: t t :bt c t:bb utrt : te e uS b 

SECRET 

RECORD 31 5q -sl-191661 



I’m doing a teleconference with[ 


at 2:30 today. FY). 


Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 


Fed 

Ph 

Celli 


it Ch 


_n£_ 


investigation 


Ph (Secure) 1 
FaxQ 


!!!!!’#$%$&■()’+„'%+!!!!! 

From: c tj ttotctt 

Sent: uSube to umt t t tT 

To: jc to t to t c 

Subject: t t :bt c fcbb utrt : te e uS b 


SECRET 

RECORD 31 5q-sl-1 91 661 


b2 

b6 

b7C 


DATE: 02-12-2009 

CLASSIFIED BY 6Q322UC/LP/STP/gjg 
REASON: 1.4 tC) 

DECLASSIFY ON: 02-12-2034 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
TJHERE SHOWN OTHERWISE 


They would like this to fire for the duration o( 


Jwarrant authorization. 


b2 

b7E 





! I (!r#$%$& l 0*+. ,'%+!!!!! ' 

From: jc totto t ctt 

Sent: uSube to umt t t tT 

To: c tj t to t c 

Subject: t t :bt c fcbb utrt : te e 


uSb 


SECRET 

RECORD 315q-sl-191661 


No need for a PRT&T is you are only using 


Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 
Federal Bureau n f Investigation 
Ph 

Cell . 

Ph (Sfimmll 

Fax*| 


b2 

b6 

b7C 


From: c tj t to t ctt 

Sent: u Sub e to umt t t t T 

To: tc cTto t c 

Cc: jcCtoCtto t ct oCtoCt to ct t tjto t c 

Subject: t t :bt c tibb utrt : te e uS b 

SECRET 

RECORD 31 5q-s1»1 91661 



I just spoke with SL regarding this matter and they are elated that we have decided to support the cas e. They ar e 
really in the market for a tool that would provide them w ith PT&T functionality. I explained to them thatj J 

\ However, following the conversation with SL. I thought to 
myself thaF~"~ Jwouid better serve the case.' ITwould provide the functionality of the C1PAV I I 

1 35 WSITas provide other useful info that could help further the case. Of course, the latter would 
depend on SL getting the proper authorization. Your thoughts? 


b2 

b7E 

bo 

b7C 


l told SL to contact vo u for vour assista nce in drafting the language for the hybrid SW/PT&T order. I | I s 
amenable to deployin g would you make sure that the proper language is conveyed to SL to support 

the deployment. 


They are planning on forwarding the boxes to us for the install. We will coordinate with Flaps & Seals to assist with 
this matter. 


Thanks, 

Kd 


I !!!!”#$%$&•()*+„'%+!!!!! 

From: tccTto t ctt 

Sent: uSube to umt t tF FtT 

To: c tj t to t c 

Cc: cTCtCoCttotc 
Subject: 



t t :bt c t:bb utrt : te e uS b 


D 




SECRET ^ 

RECORD 315a-sl-191661 


Opinion from | As long as we are using only a CIPAV, I am willing to say this is strictly unciass. b6 

Should the need arise tor additional tools, we will certainly enter the classified reaim. Please pass this to SL b7c 


□ 


!!!!r#$%$&'()*+ l , '%+]!!!! 

From: jcC toCtto t ctt 

Sent: u Sub e to umt t tF t T 

To: tc cTto t c 

Cc: c TC tCoCtto t c 

Subject: t t :bt c fcbb utrt : te e uS b 

SECRET 

RECORD 31 Sq-sM 91661 



What the case agent and AUSA have put together is a warrant that aiinwg loading the computers with 

the exploit and subsequent seizure of this same PPT&T dats | With a caveat that they wi ll 

return to the court with another application if this collection operation is to exten d I All 

of this is based upon probable cause. 

I think it is awkward and will require more work for the CA and AUSA but it may work IF the court sees it for 
what it really is. As a continuing search, it may fail, but as a search and subsequent PRT&T, it will work. I 
recommend specifically notifying the court in the warrant and affidavit that this is a two step request, a search 
(to get i nto the computer eventhQUQ h at the time it is FBI property) and s ubsequen t PRT&T. The search is 
good for | b nd the PRT&T can be good for up tc | \ 


b 1 


b2 

b7E 


Ultimately, if the court signs the order, I think it is sufficient but issues are being generated unnecessarily. 
This doesn't address the security classification issues raised below. 


Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 


Fed eral Bureau of Inve stigation 
Ph 
Cell 


i 


Fax 





From: 

tC cTto t Ctt 

Sent: 

uSube to umt t tFF tT 

To: 

jcCtoCtto t c 

Cc 

c TC tC oCt tote 

Subject: 

t t :btc t:bbutrt: te e uSb 

SECRET 


RECORD 315a-sl-191661 


b2 

bo 

b7C 













AQ...XQ,§-iRsy., t J,/ 87> Affidavit?! 






irrant 


United States District Court 


Southern 


DISTRICT OF 


Florida 


In the Matter of the Search of 



APPLICATION AND AFFIDAVIT 
( g j FOR SEARCH WARRANT 

CASE NUMBER: 


bl 


I am a 


Herbert E. Hogberg III 


Special Agent 


being duly sworn depose and say: 
and have reason to believe 


Official Title 

that A rvn tha narenn r%4 s%r I nn th*a nfrtrtartw r>r nramicoe \sr\s>i*tn of 


bl 


in the Southern District of Florida 

bl 

(s; 


concerning a violation of Title 18 United States code, Section(s) 2332a 

The facts to support a finding of Probable Cause are as follows: 

see attached affidavit 


ALL FBI II ^FORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 02-24-2009 BY S0322UC./LP/3TP/gjg 


Continued on the attached sheet and made a part hereof: ! Yes No 


Sworn to before me and subscribed in my presence. 


Signature of Affiant 


Date 



at 

City and State 


Name & Title of Judicial Officer 


Signature of Judicial Officer 






United States District Court 



CASE NUMBER: 


TO: and any Authorized Officer of the United States 

Affidavit(s) having been made before me by Herbert E. Hogberg III who has reason to 

Affiant 


hi 



hi 



I am satisfied that the affidavit(s) and any recorded testimony establish probable cause to believe that the person 
or property so described is now concealed on the person or premises above-described and establish grounds for 
the issuance of this warrant. 

YOU ARE HEREBY COMMANDED to search on or before • 

Date 

(not to exceed 10 days) the person or place named above for the person or property specified, serving this 
warrant and making the search (in the daytime - 6:00 A.M. to 10:00 P.M.) (at any time in the day or night as I 
find reasonable cause has been established) and if the person or property be found there to seize same, leaving 
a copy of this warrant and receipt for the person or property taken, and prepare a written inventory of the person 
or property 

seized and promptly return this warrant 

to 

as required by law. ALL FBI information contained u - s * Magistrate judge 

HEREIN IS UNCLASSIFIED • 

DATE 02-24-2009 BY 60322UC/LP/3TP/gj g 

at 

Date and Time Issued City and State 


Name and Title of Judicial 


Signature of Judicial Officer 






